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(57) ABSTRACT 

A co mputer diary arc hives a diary entry by creating, ti me 
stamping, authenticating and perm anently storing a refe r- 
ence data blo ck alon^ with each diary entry. A n archived 
cliary entry can only be modified by placing original text 
within compartment codes, such as cross-out or tear-out 
codes, and by placing inserted text within insertion codes so 
that the original diary entry can be recreated from the 
modified diary entry. The reference data block, which can be 
the original diary entry, a canonical version of the original 
diary entry, or a one way fixed length encryption (hash) of 
the original diary entry, cannot be modified and is used to 
authenticate the original diary entry. 

The diary program also monitors text entry for aliases and 
relative date phrases, and upon detection, prompts the user 
for entry or enters a specific identifier for each detected alias 
in an aUas compartment or an absolute date for each relative 
date phrase in an implied date compartment in the diary 
entry. 
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TIME-STAMPED TAMPER-PROOF DATA 
STORAGE 

CROSS-REFERENCE TO RELATED 
APPUCAnONS 

This application is a divisional application of Ser. No. 
08/020^54, filed Feb. 22, 1993, for A PERSONAL COM- 
PUTER DIARY, now U.S. Pal. No. 5,347,579, which in turn 
is a continuation-in-part application of Ser. No. 07/637,675 
filed Jan. 7, 1991, for DEVICES TO (1) SUPPLY AUTHEN- 
TICATED TIME AND (2) TIME STAMP AND AUTHEN- 
TICATE DIGITAL DOCUMENTS, now U.S. Pat. No. 
5,189,700, which in turn is a continuation-in-part applica- 
tion of Ser. No. 07/375,502 filed Jul. 5, 1989, for AN 
ARCHIVAL, SECURE DIGITAL MEMORY SYSTEM, 
now abandoned; the applications 07/637,675 and 07/375, 
502 are hereby incorporated herein in their entirety by 
reference. 

TECHNICAL FIELD 

The present invention relates to archived record keeping 
systems, such as a diary, for computers. 

BACKGROUND ART 

For hundreds of years artists, writers, politicians, and 
private persons have kept dairies. The diaries have generally 
been hand-written in a bound notebook on consecutive 
pages on which the date is either pre-recorded or is entered 
by the diarist as the entries are made. 

Hiis traditional method of keeping a diary has several 
useful features for the diarist and for subsequent readers. 
The diarist cannot easily go back and alter what he has 
written. Thus the diary is more likely a truer record of what 
the diarist actually thought at the time. The diary is "time 
stamped." Hie diarist may ink out or tear out pages, but it is 
clear to future readers that this has been done; the existence 
of an original record is apparent along with its mutilation to 
indicate the intent of the mutilator to destroy a particular 
entry. 

Only a proportionally small amount of text can be inserted 
at a later date, and this can possibly be detected by changes 
in ink or slight changes in handwriting, or by the fact that the 
additions have been written in the margin. To the degree that 
these changes can be detected the diary is tamper-proof. 

Any reader of the diary can be sure by the handwriting of 
the identity of the person who wrote the diary; that is, the 
diary can be verified to be authentic. The diary may be 
locked away so that it is private. 

Attempts have been made to provide a computer diary. 
Many such diaries are business oriented, designed to serve 
as reminders and not as permanent records. 

The Tandy corporation has marketed a software product 
named "My Personal Diary" which allows the user to type 
into the dated image of a page of a diary. Although the 
software controls access to the diary pages by use of 
passwords, it is possible for anyone with access to xisc the 
software to turn to any date in this diary, past, present, or 
future, and to delete and enter data at will. This is very unlike 
a real personal diary in that there is no way to determine if 
an entry for any date was written at any time close to that 
date or was written or changed months or years later. 

SUMMARY OF INVENTION 

In a first aspect, the present invention is simimarized in a 
computer system for archiving data blocks wherein a modi- 
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fiable or working version of an original data blodc is stored 
along with a write -once read-many (WORM) record con- 
taining the original data, a stripped version of the original 
data, or a hash signature of the original data together with the 
5 present date. Modifications to the working data blocks are 
made so that the modifications can be identified and 
removed or restored to recreate the corresponding original 
data block- The authenticity of the original data with its 
original entry date can be readily determined along with the 
subsequent modifications to the original data block. 

In a second aspect, the invention is summarized in a 
computer diary wherein storage of an original diary entry 
along with the present date is prohibited when the present 
date is before the date of the previously stored diary entry. 

In a third aspect, the invention is summarized in a 
computer diary wherein the forming and editing of diary 
entries includes monitoring the input of diary entries to 
identify entry of selected text entries or aliases having 
corresponding lists of one or more previously stored specific 
identifying terms, displaying the one or more of stored terms 
20 corresponding to the entered seleaed text entry to enable the 
diarist to identify a correct term for the ahas, and placing the 
identified term in the diary entry. 

In a fourth aspect, the invention is summarized in a 
computer diary wherein the entry of diary entries for cor- 
^ responding diary dates is monitored for the input relational 
date entries, and the diary includes formulas for computing 
absolute dates corresponding to the identified selected rela- 
tional date entries so that the computed absolute dates can be 
placed in the diary entry. 
^ It is an object of this invention to supply a computer diary 
system which will not only have the distinctive and useful 
features of a traditional diary, but also have many of the 
useful features which are attainable only through the aid of 
modern computers. 

Another object of the invention ia a diary which is to be 
kept generally proof against a casual attack by a typical user 
and can be implemented using software. Such a system need 
not necessarily be secure against a determined attack by a 
computer system professional or by a dedicated "diary 
^ tampering" program written by such a professional. 

A further object of the invention is a computer diary with 
word 'pirocessmg, texj time-stamping and authentication , 
se gire archivmg , and se lective access to different portions , 
o r "compartments", oYttie oiary^ 

One teature of the present invention is the possibility for 
the diarist to designate segments of text with beginning and 
ending codes signifying different compartments of the text 
wherein a piece of text may belong to several different 
compartments, each compartment can have its own 
password, and examination of the diary can be selectively 
restricted to users with knowledge of the appropriate set of 
passwords for the compartments of interest to them. 

Advantages of the invention include that the diarist can 
55 control access to the diary, that the diarist, even though he 
is the owner of the system, cannot alter, change the date of, 
or erase data which is time-stamped, authenticated, and 
already stored. 

Another feature of the invention is the provision of the 
60 capability to "tear-out" a limited amount of data per day by 
putting text into a tear-out compartment with a password 
which caimot be extracted from the computer diary by 
anyone, including the diarist. The diarist may, however, 
choose to keep a record of the tear-out password outside the 
65 computer diary if he so desires. 

In a further aspect of the invention the diarist can enter a 
limited amount of annotation data to previous dates, and if 
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desired by the diarist, such additions can be seen on display FIG. 22 is a flow diagram of an authentication procedure 

to be clearly distinct from data truly entered on that date by used in the computer diary of FIG. 1, 

placing the annotation data in its own compartment with its FIG. 23 is a flow diagram of an exit procedure used in the 

own display defaults; the system ensures that the diarist is computer diary of FIG. 1. 

never able use the annotation capability to falsify the initial 5 pjQ 24 is a block diagram of a computer system with 

data to any person in possession of all the required pass- hardware elements which can, alternatively, be used to 

words. perform some of the functions of the software embodiment 

In a still further fe atu re, the diary program ensures that of FIGS. 1-23 with greatly enhanced security, 
dat a is never t i me-stampe d with a dat e differept fr omjhatof p[G 25 is a block diagram of a second computer system 
tne cur rgni ^ock ,'n6'r ^th a time earEeflhan the most recen t lO hardware elements which can, alternatively, be used to 
previousTime a record was stored in the diary. perform some of the functions of the software embodiment 
BRIEF DESCRIFHON OF DRAWINGS °f P^^S. 1-23 with still greater enhanced security. 

RG. 1 is a general block diagram of major procedures DESCRIPTION OF THE PREFERRED 

included in one embodiment of a computer diary in accor- EMBODIMENTS 

dance with the invention. Asshown in FIG. 1. a computer diary in accordance w ith 

FIG. 2 is a flow diagram of initial procedures during t he invention Jncludes a word processing core 102 along 

startup of the computer diary of FIG. 1, \Wth an archive function 104 by means of which a user can 

FIG. 3 is a general diagram of object code used in the ^ t ime stamp and stor e a diary entry. The word processing 

computer diary of FIG. 1. function 102 can only edit or modily an archived diary entry 

HG. 4 is a general diagram of contents of a diary file by marking archived diary text or by inserting marked text 

produced and stored by tlie computer diary of FIG. 1. or other data so that the original archived diary entry can be 

FIG. 5 is a flow diagram of a clock checking procedure reconstructed. Authentication by function 106 is by com- 
used in the initial procedures of FIG. 2. 25 P^^"^g reconstructed text with a wnte-once read-many 

^ . a c *, A f (WORM) version of the ongmal diary entry or by compar- 

HG. 6 IS a flow diagram of a setup procedure of the J^^^^^ ^^^^^^^ reconstructed text and 

computer diary of FIG. 1. on^uBl date with a WORM hash signature of the original 

FIG. 7 is a view of a computer display screen produced m stamped entry. Preferably the program includes encryp- 

the setup procedure of FIG. 6. decryption 112 with storage input/output 114 

FIG. 8 is a view of a computer display screen produced in (for example magnetic disk input/output) of diary entries 

a main diary entry and editing procedure of FIG. 1. various file parameters. The user can save an incomplete 

FIG. 9 is a table of built-in relative date phrases with diary entry with save function 116, without time stamping 

corresponding reference dates and references to formulas for and archiving, for later recall and completion, but such 

computing absolute dates from the relative date phrases for incomplete diary entry is not accorded a lime stamp, 

use in the procedure of FIG. 17. The diary p r pgcam begins with the initialization mod ule 

FIG. 10 is a table of user created relative date phrases with 120 atterVmck^thcuse r selects a file m tunction 122. The 

corresponding references to formulas for computing abso- fireTlime uscr"ot me diary selects a new hlc name which 

lute dates from the relative date phrases similar to FIG. 9 but results in the program at 124 branching to a file setup 
which can be created during the setup procedure of FIG. 6, ^ fiinction at 126. In file setup 126, the user enters several 

FIG. 11 is a flow chart of one possible formula for optional file parameters including a master password. The 

computing absolute dates from relative date phrases referred user can also designate user compartments or text markers 

to in the tables of FIGS. 9 and 10. with associated passwords for permitting others limited 

HG. 12 is a table of built-in generic terms or alias words access to the diary file, 
used in the computer diary program of FIG. 1. 45 When a stored file is selected, the program branches at 

HG. 13 is a table of user generated generic terms or alias 1^ to a function 130 where several file parameters previ- 

words used in the computer program of FIG. 1. ously created in setup 126, including the master password 

HG. 14 is an example of an unique alias identifier table any user compartment passwords are input from the fi e 

containing Usts of specific terms which can be selected to ™ the inpuyoutpu^ m 
specificaUy identify aliases in the tables of FIGS. 12 and 13. so password at 130, then the Pl'l^^^V'^^^^^^ 

^ ^ ' ^ ^ J. pTnrpssinty and user interface 102 With full readAvnte acces s 

HG. 15 is a general block diagram of some diary entry t o^arv entries in the hie grantea at 132. The master^ Sti^D 

and editing fimctions of the computer diary of FIG. 1. 132 determines the existence of any previously sa^bu t 

FIG. 16 is a flow diagram of computer procedures to pon-archivcd diary entry and inputs any such entry fo r 

control selection oi appropriate permitted procedures in the d isplay by the word processor user interface lU2.1n the 

diagram of FIG. 15. a bsence ot an unc omplet ed diary entry, the user interface is 

FIG. 17 is a flow diagram of relative date phrase moni- set for the user to enteiL a new aiar y cntry^ 

toring and generic phrase monitoring procedures in the j£ ^^^^ ^ ^^^^^ master pass word at 130, th e, 

computer diary of FIG. 1. user is queried to enter any user comparimeni password s. 

HG. 18 is a flow diagram of a first portion of an gQ Correct entry ot one or more user compartment passwords 

archive/save procedure of the computer diary of FIG. 1. results in the granting of limited read-only access at 134. ljie_ 

FIG. 19 is a flow diagram of a second portion of the ijgiited uKcr Ls only permitted to input via storage input/ 

archive/save procedure of the computer diary of FIG. 1. output 114 those compartments (text previously madced b y 

FIG. 20 is a flow diagram of a text stripping procedure the master diarist) associated j witl ucorrectlv entered pa ss- 
used in the archive and restore procedure of FIG. 18. 65 words. Also the limited user is permitted tosearch and 

no. 21 is a flow diagram of a search procedure used in retrieve 136, print 13 8, and to im^q^and yport 140 trom 

the computer diary of FIG. 1. aaffT o_an external text or data fi le. Other diary and word 
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processing functions such as archive 104, storage output 
through input/output 114, save 116, setup 126, and other text 
editing and modification functions arc not permitted to the 
limited user. 

Failure to enter any correct password in procedure 142 
restilts in access denied 142 and return to master password 
query. 

The program includes monitoring procedures 144 and 146 
for relative date phrases such as today, tomorrow, yesterday, 
last Sunday, etc., and for alias words such as pronouns like 
he, she, we, they, or user identified non-specific names or 
aliases such as first names like Bill, Susan, etc. When entry 
of a relative date phrase or an alias is detected, the program 
suggests insertion of a specific term, such as the precise date, 
or selection of a term from a table of terms such as full 
names of the possible aliases. Tables of relative date phrases, 
alias words, date formulas and specific terms, can be edited 
and created in procedures 148 and 150. Alternatively, the 
diarist can elect not to insert the absolute date or the specific 
term. 

A user vnth master access options after electing exit 
function 152 is offered options to archive or save a diary 
entry if it was not previously archived or saved. 

In the initialize procedure 120 as illustrated in more detail 
in FIG. 2, the program is first loaded in step 160 and then 
sensitive program elements in the program are decrypted in 
step 162. FIG. 3 shows the structure of the object code in 
which, immediately after control is passed to the loaded 
program at 164, control proceeds to decryption code 166 
which decrypts sensitive data 168 which for example 
includes a secret, private (RSA) key, a data encryption 
(DES) key, and a manufacturer's password and places the 
decrypted data in operating condition with the rest of the 
object code. The elements 168 are encrypted with a con- 
ventional data encryption standard (DES) by the program 
manufacturer who includes the decryption code with its key 
in the program code 166. The purpose of the encryption of 
program elements 168 is to make it more difficult for 
someone to falsify authentication or to alter the archive file 
by decrypting, altering, and re-cncrypting with another 
program. Hie program then jumps at 170 to the main part 
172 of the program where in step 122, FIGS. 1 and 2, a file 
is selected. 

The file structure, shown in FIG. 4, includes a check sum 
196 which can be produced by conventional sxmnming, 
cyclic redundancy check, cryptographic secure hash proce- 
dures or the like; a check sum flag 198; a clock flag 200; the 
date 204 of the most recent archive; the quantity 206 of 
today's tear-out data together with today's date 208; the 
tear-out password 210; tear-out compartment display data 
212 such as whether an tear-out indicator with the number 
of words in the tear-out section or compartment is displayed; 
the master password 214; user compartment names, 
passwords, and display data 216; set or default parameters 
218 which determine the display of built-in compartments or 
marked text such as cross-outs, inserts, implied dates, 
implied alias, etc.; user alias tables 220; user date tables 222; 
diary entry sections 224 for each archived diary entry 
including reference or WORM data 226 and working or 
read/write data 228 with archive flag 229; an index file 230 
of all the working data including all text words (except for 
defined trash words like "a", "the'\ "and", "or*', etc.), 
implied dates, implied alias terms, and compartment or text 
marking codes; and an index file 232 of the diary entry 
sections 224 with their archive date of entry. 

Referring back to FIG. 2, the program in step 240 recal- 
culates the checksum of the file and compares this checksum 
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number with the checksum number 196 stored in the file. If 
these checksxun numbers are equal, the program branches to 
step 242 where a checksum flag is set true (T); otherwise the 
checksum flag is set false (F) in step 244 indicating that the 

5 stored file has been corrupted by use of some other program. 
A warning is issued if the checksum flag is F because the 
diary program will not permit further archiving to this 
archive file. In this case the diarist may choose to access a 
backup copy of the archive file in hopes that it will pass the 

10 checksum test. 

The user is requested in step 248 to enter a master 
password which is compared to the master password 214 
read from the file of FIG. 4. If they do not match, then the 
user is given the opportunity to enter a manufacturer's 

15 password in step 250. The manufacmrer's password is 
revealed to the user when the user calls the manufacturer and 
is properly identified (for example, by giving the maiden 
name of the user's mother as written by the program 
piirchaser on the user licensee registration card). Thus 

20 should the registered user forget the master password, full 
access can be obtained by calling the manufacturer. Master 
access is granted in step 252 when either step 248 or 250 are 
true. 

The diarist may grant limited access to selected data or 
^ marked text in the file by giving a limited viewer the 
compartment password of the corresponding data or marked 
text. When the limited viewer fails to enter either the master 
or the manufacturer's password, the limited viewer can enter 
a compartment password or passwords in step 254, If the 
entered password or passwords match one or more compart- 
ment passwords recorded in section 216 of the file, then in 
step 256, limited access is granted by setting the master 
password flag to F and a compartment read flag or flags to 
T for all compartments having the correctly entered pass- 
word or passwords. Failure to enter any correct password 
results in the step 254 being false and returning to step 248. 

When either full or limited access has been granted by 
either step 252 or step 256, the program performs the clock 
check routine 258 which, as shown in FIG. 5, first checks the 
clock circuit for failures in step 270. If a conventional 
computer clock circuit is used, loss of battery power or other 
clock malfunction will normally indicate a failure, and if a 
secure clock is employed, such clock will normally include 
one or more checking functions to insure that the clock is 
operating properly and has not been tampered. If the clock 
diagnostic check test in step 270 is true, then the clock time 
is compared in step 272 with the last archive time 204 
recorded in the file of FIG. 4. This step checks for changing 
of the clock time; for example the clock circuit on most 
computers can be set to any previous time by the computer 
setup procedure to attempt to falsify the date of a diary entry. 
When the clock time is greater than the recorded last archive 
time then the clock flag is set to T in step 274. If either step 
270 or step 272 are false then the clock flag is se t to Fin st ep 
2 76. Referring back lo the pfOCed-pTCrof-g Gr2>-lh&-SGtting 
of the clock flag to F in procedure 258 reSiitsin the program 
branching at step 28U to step 282 wberelEc use r is vyamed 
thai no I'Uithei m'cSiv ing to the tile is permittedl?ecause of 

^ the^lock fidure or mcorrecl date. 

^ In step 2iffl the program readslhe set or default param- 
eters 218 for the file of FIG. 4 and sets the computer display 
in accordance with the read parameters. The program then 
proceeds to the user interface of the word processing pro- 

65 gram 102, 

The setup procedure 126 which is called when a new file 
is selected during program startup or can be caUed firom the 
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user interface is shown in FIG. 6. In step 290, the user is 
given the opportunity to set various system and compart- 
ment parameters. As illxistrated in the display screen shown 
in FIG. 7 and used for setting the parameters, there are a 
variety of "compartments" listed in the second column 292 5 
including "CROSS-OUT', "INSERTION", "INSERTION_ 
DATE", "AUAS", "IMPLIED DATE", "TEAR-OUT", 
"DEFAULT", "PATENT', "FINANCES", "MOTHER", 
"LINDA", and "THE_KIDS". The Usted "MASTER" and 
"MANUFACTURER" are not compartments but are 10 
included because of their password functions. The first nine 
listed compartments including "CROSS-OUT", 
"INSERTION", "INSERTION_DATE", "ALIAS", 
"IMPUED DATE", "TEAR-OUT', and "DEFAULT' are 
system compartments while the last five listed compartments 15 
"PATENT', "FINANCES", "MOTHER", "UNDA", and 
"THE_KIDS" are examples of user created compartments. 
User compartment names can be changed, added, and 
deleted in the setup procedure, but modification of the listed 
system compartment names is not permitted. 20 

In the third column 294, passwords for the various com- 
partments are listed, except that the manufacturer's pass- 
word is never available to the user in setup and the tear-out 
password is only available during the setup of a new file or 
until changed from a default (a default tear-out password 25 
such as "PASS" is recognized by the software for being 
displayed and changed but any other tear-out password can 
not be displayed or changed). During the setup of a new file 
the entry of a "MASTER" password is required. The manu- 
facturer's password can be invalidated by depressing the 30 
"alt" and the "i" keys simultaneously while the cursor rests 
in the manufacturer's password row and column in FIG. 7. 
This causes the manufacturer's password to be replaced by 
the DES encryption of a user-input value using the secret 
DES key, and the entry in the password column for MANU- 35 
FACTURER to change from "valid" to "not valid." The 
program provides no capability to replace the new entry in 
the manufacturer's password location with another value, 
nor to change the flag from "not valid" to "valid." These 
procedures make it impossible for the diarist or the manu- 40 
facturer to know the new value in the manufacturer's 
password location by themselves; although it is still possible 
that in collaboration they could do so if the diarist retains a 
record of his input. The passwords for the other listed system 
compartments "CROSS-OUT", "INSERTION", 45 
"INSERTION_DATE", '"ALIAS", "IMPLIED DATE", and 
"DEFAULT* can be changed fi:om default words while entry 
of passwords for user created compartments "PATENT", 
"FINANCES", "MOTHER", "UNDA", and "THE_KIDS" 
arc required when the user creates the compartment. 50 

In the first column 296 are listed the compartment bound- 
ary codes by which the text segments or compartments are 
marked. The program employs the ASCII coding scheme for 
eight-bit bytes ranging from decimal 32 to decimal 127, and 
the boundary codes are selected from the remaining codes 55 
from decimal 0 to 31 and from decimal 128 to 255. Codes 
within these latter two ranges and which are not reserved for 
compartment boundary markers can be used for print or 
display formatting or for displaying various foreign and 
other characters and symbols in accordance with one or 60 
more of the conventional symbol sets employed in comput- 
ers and printers. The boundary codes for the system com- 
partments are fixed by the program and the program assigns 
boundary codes to user compartments as they are created. In 
the display, the boundary codes are displayed as reverse 65 
image characters, or characters with selected background 
and foreground colors. The boundary codes are placed at the 
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beginning and end of a text segment to mark that text 
segment as comprising a compartment; for example in FIG. 
8 the boundary code for the default compartment "jO|" is 
placed at the beginning of the text before "Last" and after 
"church." to define a segment of the text from "Lasf* 
through "church." as belonging to the "DEFAULT' com- 
partment. It is noted that compartments can be nested, that 
is, a compartment can defined for all or a portion of the text 
contained within another compartment. 

Referring back to FIG. 7, the fourth column 298 is set by 
the user to indicate whether the compartment is to be 
displayed except that the tear-out compartment is normally 
not available for being displayed as indicated by the word 
"none". The tear-out compartment can only be displayed 
under limited access granted by steps 254 and 256 of FIG. 
2 after entry of the correct password for the tear-out com- 
partment. 

When the text display for a defined compartment is set to 
"ON" in column 298, then the text within that compartment 
is displayed in the word processing screen of FIG. 8 with the 
corresponding compartment boundary codes, and when set 
to "OFF*, then neither the text nor boundary markers are 
displayed in the word processing screen even if the required 
passwords have been entered. 

The diarist can select the color of the text displayed within 
in a compartment, where a color computer monitor is 
employed, as shown in column 300 of FIG. 7. Priority of the 
compartments is set by the diarist in column 302. The color 
actually used, if text is in more than one compartment, is in 
accordance with the compartment with the highest priority, 
given in column six 302. If the two nested compartments 
have equal priorities, the color of the compartment closest to 
the top of the list is used. However, the tear-out compartment 
always has the highest. The compartments above the tear-out 
compartment in FIG. 7 have neither independent color nor 
priority, as indicated by the dashes, since they are always 
within another compartment, and thus are given the same 
color and priority as the compartment of the text within 
which they are placed. 

The last column 304 in FIG. 7 enables the user to set a 
missing text indicator in the event that the text display for 
that compartment is "OFF". For example, the missing text 
indicator for the TEAR-OUT compartment is "ON" in FIG. 
7 and in FIG. 8, text in the tear-out compartment is indicated 
at 310 by "|T73|". The indicator "T' is the boundary code 
indicator, see column 296 in FIG. 7, for the tear-out 
compartment, and the number 73 indicates that 73 words are 
in the tear-out compartment. Only for text missing because 
it has been torn out is the amount of text (73 words in this 
case) indicated. A missing text indicator 312 shows that 
patent compartment (code |1|) contents are missing. 
However, there is no indication of how much text is missing. 

After the compartment parameters have been set and 
saved by the step 290 in the setup procedure of FIG. 6, the 
program proceeds to the edit/create date and alias table 
functions in step 320. A built-in date word phrase table 322 
is shown in FIG. 9; this table is built into the object code and 
can not be edited by the user. The buih-in date phrase table 
322 contains common relative date terms illustrated in 
column 324 such as "yesterday", "last night", "tomorrow", 
"today", "this morning", "Thanksgiving", "Christmas", etc. 
together with a possible reference date in column 326 and a 
formula index number in column 328. The formula pointed 
to by each formula index number 328 calculates an absolute 
date, for example "Dec. 25, 1992", for the corresponding 
relative date phrase 324 "last Christmas" using the present 
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clock date and the reference date 326 when required. For 
example the formula for "last Christmas" as shown in FIG. 
11 first determines in step 332 if the present month and 
day-of-month is greater than the reference date for the 
current year, and if so, combines the present year with the 5 
reference date in step 334, otherwise the previous year is 
combined with the reference date in step 336. Formulas for 
other relative date phrases can be easily composed by a 
skilled programmer. 

A user's date word phrase table 222, stored in the file of lo 
FIG. 4, is shown in FIG. 10 and contains date phrases, 
reference dates and formula Dumbers entered by the user in 
step 320 of FIG. 6. Typically this user's date phrase table 
contains birthdays and anniversaries of the diarist, relatives 
and friends and other important dates. The user's date phrase 
table of FIG. 10 is used in the same manner as the built-in 
date phrase table of FIG. 9. 

A built-in alias word table 340 is shown in FIG. 12, a user 
alias word table 342 is shown in FIG. 13 and a unique alias 
identifier table 344 is shown in FIG. 14. The alias table 340 ^ 
is built into the object code while the tables 342 and 344 are 
created or modified by the user in step 320 of FIG. 6 and 
stored in the user alias table section 220 of the file of FIG. 
4. The built-in alias, word table 340 contains a list of 
commonly used pronouns, such as "he", "she", "it", etc. and 
other common terms such as "mother", "home", etc. The 
user table 342 of alias words typically contains first names 
of relatives and friends of the diarist. The unique alias 
identifier table 344 contains each of the alias words of tables 
340 and 342 together with respective lists of specific names 
or terms identified by each of the alias words. 

In the bottom line of the screen 290 are Usted toggles 314, 
315 and 316 which can be pointed to and used to quickly 
change the display screen if the master password is T. For 
example, pointing and clicking on text display toggle 314 
alternates the display of compartments between all displayed 
and the settings of column 298. The missing text toggle 
cycles through all on, all off and the settings of column 304. 
Similariy the colors toggle 316 cycles through all on, all off ^ 
and the settings of column 300. 

After modification or creation of the tables of FIGS. 10, 
13 and 14 in step 320 of FIG. 6, the program proceeds to step 
348 where other parameters of the program are edited. For 
example, the user can identify a particular display card such 45 
as Hercules, VGA, etc. and can identify a particular printer 
to be used by the program. 

The word processor 102 of FIG. 1 includes a number of 
functions as illustrated in table 360 of FIG. 15 which can be 
called by the pointing and clicking by means of a mouse on so 
one of the user interface buttons shown in FIG. 8, pressing 
a cursor movement key, pressing a selected function key, or 
simultaneously pressing a Ctrl or alt key with a selected 
function key. The functions listed in table 360 are divided 
into columns under limited access functions 362 and master 55 
access functions 362, and the master access functions are 
further divided into columns under non-archived text 366 
and archived text 368. As shown in FIG. 16, the calling of 
a word processing function proceeds to step 372 where it is 
determined if the master password flag, set in step 252 or 60 
256 of FIG. 2, is true. If false, the program in step 374 
determines if the called function is one of the functions 
permitted under in the limited access column 362 of FIG. 15, 
and if so proceeds to perform that hmited access function in 
step 376; if the called function is not permitted under limited 65 
access the program ignores the function call and returns to 
the user interface. 
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When step 372 of FIG. 16 is true, the program goes to in 
step 378 where it is determined whether the current text of 
interest has been previously archived. All text in a diary 
entry which has not been previously archived is non- 
archived text. Text previously inserted (placed in an inser- 
tion compartment) in a previously archived diary entry is 
also non-archived text; only the original archived text is 
designated as archived text. If step 378 is true, the program 
branches to step 380 to perform the corresponding archived 
function in column 368 of FIG. 15; otherwise the program 
branches to step 382 to perform the corresponding non- 
archived function in column 366 of FIG. 15. 

The word processing functions illustrated in FIG. 15 
include, beginning at the top row of the table, text display 
384, cursor movement 386, text entry 386, file import 390, 
scrolling text 392, deletion 394, printing 396, blocking text 
functions 398, and exporting to file 400. It is noted that the 
listed word processing functions are only exemplary, and 
that many other word processing functions could be 
included and/or one or more of the hsted functions could be 
excluded without affecting the useabilily of the diary pro- 
gram. 

Text display under limited access is limited to those 
compartments for which the user has entered a conect 
password. Preferably, when one or more diary entries 224, 
FIG. 4, are read from the storage file under limited access 
and placed in a working memory buffer, the jprogram deletes 
from the buffer all text and data that is not contained in a 
compartment to which access is granted. Additionally each 
diary entry 224 includes both reference data 226 and work- 
ing data 228; the reference data is hot used in any limited 
access function and can be deleted firom the buffer or not 
inputted from the storage file when only limited access has 
been granted. When master access has been granted, work- 
ing data or text 228 is displayed according to the display 
parameters set in the setup function of FIG. 7; the reference 
data 226 is never displayed except insofar as the working 
data includes reference data or text within displayed com- 
partments. 

The cursor movement functions 386 and the scrolling text 
functions 392 are generally the same for all displayed text. 
Cursor movement and scrolling under either limited access 
or master access is only performed in displayed text or data. 
Printing and exporting functions 396 and 400 differ between 
limited access and master access in that under limited access 
only that text in compartments for which access has been 
granted can be printed or exported whereas under master 
access text in any displayed compartment can be printed or 
exported. Printing and exporting of blocked text in function 
398 is similarly limited to displayed text or data. 

Any function which involves modification of the working 
data, such as text entry 388, import 390, deletion 394, and 
some block functions 398 like block deletion, copying, 
moving or text marking is not permitted under limited 
access. 

Data modification fiinctions differ between archived text 
and non-archived text. When a diary entry is archived, the 
corresponding reference data 226, FIG. 4, is produced and 
stored, and this reference data cannot be modified or 
changed by the diary program; editing reference data or any 
other data by a conventional file editing program will most 
likely render the file or diary entry invalid and unusable in 
the present diary program. However, working data 228 can 
be modified or changed in the computer diary program with 
the provision that if the corresponding diary entry has been 
previously archived, the modifications and changes are 
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made in a manner that the original archived text or data can ment. The compartment in which data or text is to be entered 

be recreated from the working data. Thus under the archived is selected by pointing and clicking on the compartment 

text column 368, text entries 388 and file imports 390 are button at the top of the screen in FIG. 8 or by pressing ao 

placed in insertion compartments (see the text segments appropriately assigned function key or simultaneous com- 

bracketed by |I| . . . ;i| in FIG. 8), Under the non-archived text 5 binalion of shift, CTRL or ALT and function key. Any text 

column 366, text entries or imported files are not marked in not otherwise placed in a tiser defined compartment is placed 

insertion segments or compartments. Deletions 394 under by the program in the default compartment, 

column 368 of original archived text are made by placing the During text entry or cursor movement, the word processor 

deleted text in a cross-out compartment (see text segments functions 144 and 146 of FIG. 1 monitors words at and 

bracketed by |X| . . . |X| in FIG. 8) while deletions to ^^^^ cursor and suggests absolute dates for relative date 

non-archived text are made in the usual manner of deleting phrases and correct unique identifiers for aliases. A proce- 

such text from the working word processor buffer. Any dure called by text entry or cursor movement for performing 

insertions into insertion compartments that have been made these functions is illustrated in FIG. 17. In step 410 the 

in previously archived original text are recognized as non- program determines if a date phrase (phrase matching any of 

archived text, and further insertions and deletions in such j^te phrases listed in the first columns of the tables of 

insertioD compartment text are made under column 366 in FIGS. 9 and 10) is near the cursor. If true, then in step 412 

spite of the fact that the diary entry has been previously determined if this date phrase has been previously 

archived. detected such as by being highlighted. If not, then in step 

^In texFRScfciBg 398 under the archived text column 368, 414 the newly detected date phrase is highlighted (see 

deletion of blocked text involves marking the text block in 20 highlighted text 430 in FIG. 8) and any previously high- 

a cross-out compartment. Copying of blocked archived text hghted date phrase is returned to normal. Also in step 414, 

involves placing the text in an insertion compartment at the the absolute date for the date phrase is computed using the 

new copy location. Moving of blocked archived text formula pointed to by the corresponding formula index 

includes both marking the blocked text in a cross-out number of FIG. 9 or 10 if there is no implied date compart- 

compartment at the old location and marking the blocked 25 ment |ID| . . . |ID| immediately following the phrase. The 

text in an insertion compartment in the new location. Where calculated absolute date or an already existing implied 

copying or moving involves archived text at one location absolute date is displayed at 418 in the user interface of FIG, 

and non-archived text at the other location, such copying or and the user is given the opportunity in step 422 of 

moving would be include operation under archived coltimn confinning, step 424, or declining the suggested or existing 

368 at the one location and operation under non-archived 33 implied date or of entering manually another absolute 

column 366 at the second location. implied date, step 426; as a program setup option the 

Blocking functions 398 under archived text column absolute date may or may not be confirmed by default if the 
include the option of marking the blocked text in a tear-out user continues to enter text or move the cursor. In either of 
compartment (see the tear-out marker |T73| in FIG. 8). Text steps 424 or 426i the corresponding implied absolute date is 
segments placed in a tear-out compartment are not available 35 placed in an implied date compartment immediately after the 
for display or printing unless the user remembers the tear-out date phrase. An implied date indicator |ID| is not displayed 
password or has kept a copy of the tear-out password and in after the relative date phrase unless the corresponding miss- 
starting the diary program elects not to enter any master or ing text indicator in column 304 of FIG. 7 is ON and the 
manufacturer password but correctly enters the tear-out implied date itself is not displayed unless the corresponding 
password at step 254 in FIG. 2. In this manner the tear-out 40 text display indicator in column 298 is ON. 
compartment resembles in result a diarist tearing out a page From steps 424 and 426, from step 422 when decline is 
or a portion of a page of a diary; the tear-out and its relative chosen, from step 412 if true or from step 410 if false, the 
quantity can be made visible but the contents of the tear-out program proceeds to step 436 where the words near the 
arc normally not available. cursor are compared to the alias words in the tables of FIGS. 

Text bl ocking 398 is also used to mark a blocked t ext 45 12 and 13. If there is a match then in step 438 it is 

segment in on e or more of the user defined compartmen ts determined if the alias word has been previously detected 

l isted below the det'ault compartment of F IG. 7. Althoug h such as by being already highlighted. When step 438 is false, 

n ot illustrated in the drawings, the wor^jr^^^^^ r i ncludes the program in step 440 highlights the newly detected alias 

such standard options as blockm g andmarking text fo r word, removes the highlighting from the previous alias word 

unagftmm gTTtffHcgre^cri^loc^ jsTig hUghtcd with 50 if displayed, and displays the corresponding list of specific 

the mouse or cursor and then a button is selec ted res ulting alias identifier words from the table of FIG. 14 at 442 in FIG. 

in underUne7itaUcs, e tc. codes^Being placed before and^ ter 8 if the alias word does not have any alias compartment 

the "El pgronexTTh e display or printing portio n ofh e marker 1A| immediately following the aUas word; if the alias 

word-processing program d etectsTBese c odes a nd"5[ispla ys word is followed by |Aj the contents of the alias compart- 

th e^text as underimed^ italics, etc. usuairTmlh the cod es 55 ment are displayed at 442. The diarist in step 444 is given the 

hiddea*^ option usually exists to either hide or reveal the opportunity to select one of the displayed specific identifier 

codes for the bold face, italic, etc. options. Also standard termsby simultaneously pressing ALT and the number of the 

delete options exist to delete normal printing and formatting identifier term (the identifier terms can be scrolled if they 

codes as well as compartment codes other than the tear-out can not all be di^layed in the space 442) causing the 

compartment codes as desired. System compartment codes eo program in step 446 to insert the selection into an alias 

in non-archived text can also be deleted. compartment immediately following the alias word. When 

Text or data entry is always into one or more (if nested) an alias compartment already exists at step 444, the diarist 

of the default and user defined compartments. For example can simultaneously press ALT and "I" to erase the existing 

in FIG. 8, the upper seven lines of displayed text are in a the existing identifier term and call the corresponding list for 

default compartment bracketed by |0| . . . jO|. The patent data 65 display at 442 and selection. Simultaneously pressing ALT 

in line 8 is not in the default compartment but is within its and "A" at step 444 causes the program to branch to step 448 

own compartment |1| . . . line 8 is in a default compart- where the diarist can enter a new specific identifier term into 
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the corresponding list in the alias table and into an alias 
compartment immediately following the alias word. Press- 
ing ALT and "D" simultaneously results in no alias identifier 
term being selected. If the diarist continues to type or move 
the cursor, the program in accordance with a setup default 5 
option either inserts no alias compartment or selects the first 
displayed specific identifier term in step 446, or makes no 
change if the alias compartment already exists. When a new 
term is added in step 448, or a selection other than the first 
selection is selected in step 446, the program in step 450 
sorts the corresponding list in the alias table by placing the 
current selection as the first item in the list, and the next 
closest preceding different alias identifier term (found in the 
corresponding list) as the second term in the list. The third 
location in the sorted list, if different from the first two, is the ^5 
unique identifier most frequently found in the preceding two 
pages of diary entries. The order of any remaining terms 
following the second term remains unchanged. 

The archive/save functions 104 and 116, FIG. 1, are 
illustrated in the procedure of FIGS. 18 and 19. The save 20 
function 116 allows the diarist to temporarily save a new 
diary entry that is incomplete without ardiiving. When a 
non-archived diary entry is saved (as contrasted with 
archived) the diary program stores a corresponding working 
data section 228 without forming and storing any reference 25 
data section 226, and the corresponding archive flag in the 
working data will be false. When tiie diary entry has 
previously been archived, the save and archive functions are 
the same. In step 502 it is determined if the master password 
flag is true; no save or archiving is permitted for a user with 30 
limited access. The existence of suitable data is determined 
in step 504; the saving or archiving of an empty diary entry 
or one without any words or display able data is generally 
prohibited. 

Next in step 506 the program determines if the data is to 35 
be stripped. Generally all diary entries are to be stripped; 
however if a diary entry consists entirely of graphical data 
then stripping could distort the data to the extent that no 
useable data remains after stripping. The stripping procedure 
508 is illustrated in FIG. 20 and includes step 510 where any 40 
text within insertion, insertion date, aUas, and implied date 
compartments is deleted, step 512 where compartment and 
formatting codes are deleted, and step 514 where consecu- 
tive blank spaces are compressed to single blank spaces. 
This results in a canonical form of the text. A person skilled 45 
in the arts of compression and encryption will appreciate 
that many other canonical forms are possible. 

Referring back to FIG. 18 in step 520, it is determined if 
there is an archive flag for the present diary entry, i.e. if the 
present diary entry has been previously archived. A diary 50 
entry can only be archived once, i.e. stored reference data 
226 is WORM data and cannot be changed; changes can 
only be made to the working data 228. AA^en Uie diary entry 
has not been previously archived, the program proceeds to 
steps 522 and 524 where the clock and check sum flags, 55 
respectively, are sensed to insure that the clock is appears to 
have the correa date and that the file has not previously been 
corrupted. In step 526 the program determines if the diarist 
wishes to only save the diary entry without archiving, i.e. did 
the user select save 116, FIG. 1. If false, the program then 60 
in step 530 determines if the present clock date is unlikely, 
for example more than one week past the last archive date. 
When true, the diarist must confirm in step 532 that the date 
is correct to ensure that the computer dock is not been set 
or is not malfunctioning to give a date in the distant future 65 
which would prevent storage of later diary entries with dates 
prior to that future date. 



In archiving the diary entry, the program at step 534 
appends the real clock time to the stripped text and working 
data. Then in step 536 a digital signature is computed on the 
time stamped stripped text; the digital signature is a one-way 
encryption of the text and time data into a fixed length code 
that is most highly unlikely to be reproduced if changes were 
made in the text or data. This digital signature is appended 
to the time stamped stripped text to form the reference data 
226 of the corresponding diary entry. Next in step 538 the 
archive flag in the working data is set tme following which 
the indexes 230 and 232 and the date 204 of the most recent 
archive are updated in step 540. The reference data 226 and 
working data 228 are then encrypted in step 542, the 
checksum 196 is updated in step 543, and the encrypted 
reference data working data are stored in step 544. 

If in step 520 of FIG. 18, it is found that the diary entry 
has previously been archived, i.e. the archive flag is true, 
then the program branches to step 550 of FIG. 19 where the 
stripped working data is compared to the stored reference 
data. Alternatively where the reference data is only a digital 
signature, the step 550, FIG. 19, computes the digital 
signature on the stripped working data with appended time 
stamp (see step 536 of FIG. 18) and compares the resulting 
digital signature with the stored reference data. Step 550 
detects modification of the original diary entry portion of the 
text by any program other than the present diary program 
and when such a discrepancy is uncovered produces an error 
message and prevents storing the modified working data. 

^l*hm ift ^ "^a*^^ ^" ^*^-P t^g" ^he program proceeds 
to ste p 552 where it is determined if there is sufficient dis k 
storage s pace to save the file w it h the modified or ggg, 
w orkmg d ata. ^>tep ^ 52 is also Ee entry point for atit^ ^b 
fr5rn™lep 526 wh en thediarist has selected to save an new 
diarV entry wiih oui archiving . In the next step 554nth e 
program determ ines it' the quantity of tear-out words fo r 
toclay exceed a max imum Imiit. T he diarist is inhibited fro m 
maklilg Yitge sc^le tear-outs ot major portions ot the store d 
diffr^ entnes by p ermitting the diarist to tear-out (place in jh e 
teSr=mit cbmpartment) only a relatively small portion of any 
l arge (quantity of diary text; the diarist over a period o f 
several or many days may te ar-out most or all of the tej * 
le-iear-out limit is not violated, then the program in 
step 556 updates the file tear-out quantity 206, in step 558 
updates the indexes 230 and 232, in step 560 encrypts the 
working data, in step 561 updates the checksum 202, and in 
step 562 stores the working data in read/write memory such 
as a magnetic disk. 

The searc h and retri eve procedure 13 6 is shown in FIG. 
21 andTn ^de s_step STO^where the user enters one or mo re 
search parameters such as date, date range, name, key tex t 
w ords, compartment name, and the like. N ext m steps 572 
and 574, the program mputs the indexes 230 and 232 and 
looks for the search parameter or parameters. When a match 
is found the corresponding working data block or blodcs are 
input in step 576. In step 578. the program determines if 
there is only limited access, and if so, then deletes the 
non-accessed compartments fi:om the inputted data blocks in 
step 580; otherwise, the corresponding reference data blodc 
or blocks are input in step 582. 

The authenticate procedure is shown in detaiTin FIG. 22 
wherein the first step is to input the time-stamped data 
(working data if reference data consists only of a signature) 
and the signature (reference data). If the input data is 
working data text, then die program branches at 604 to the 
strip data procedure 508, FIG. 20. At step 608 tiie program 
branches to conventional public key procedure 610 if the 
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public key procedure is used in authentication. Otherwise, seal 734 to an I/O port 736 connected to the bus 712. The 

the program proceeds to step 612 where the signature is physical seal prevents access to the circuits and data in the 

computed from the stripped text and appended time stamp. device 700 except through the port 732. The microprocessor 

This computed signature is compared to the signature in the 7O8 and the I/O port 736 prevent seizure of control of the 

archived reference data and if found identical at step 614 5 data and the device through the port 732 on bootup. Once the 

returns a confirmation signal in step 616; otherwise a device is booted the microprocessor treats all input as data 

non-Donfirmation signal is returned in step 618. ^nd reissues only valid commands related to data authcnti- 

As illustrated in FIG. 23, the exit procedure 152, FIG. 1, cation. A major function of the physical and electrical 

begins with detecting the checksum flag in step 630 and the security is to ensure that the keys and manufacturer's 

master password flag in step 632. If either are false (F) then password can be kept secret. 

the program returns to the operating system. If both the embodiment employing the authentication/ 

checksum and master flags are true, then the progranaat step. ^" \- 7 ■ ^nn *u j • Tnn- a* *• ^ 

€^:m ^ aie u s et Ihe o p^grm^ ca^ll tiie archiv e ^^^H^P^/'" device 700, the device 700 is used to time-s amp 

fa53tSnT0 4 tha t m y new dliiiy en try that may have b -^en and authenticate data m place of using software algonthms 

pfoauceacaBijrardW user dechnes to arch ive as was accompbshed m the previously described software 

-a-dto y entr y a rgtc p-gSy tiie opportunity to call the save only embodiment at step 536 in HG. 18 or step 612 in FIG. 

function 116 is presented in step 636. In any event the 22. The data is passed to tiie device 700 through the 

program returns to the operating system at the end of the exit communications port 732 from the CPU 704. The data is 

procedure. stored in the RAM 722. The encryption device 724 is first 

In another embodiment of Uie digital diary, special hard- used to compute the hash of the data. (This hash could 

ware shown in FIG. 24 is used. An authentication/encryption 20 alternatively be computed in the CPU and it alone be 

device 700 is connected to the CPU 702 operating diary transmitted to the device 700 instead of transmitting the 

object code 704, and may be used to improve the security of complete file and having the hash computed there.) Then the 

the time-stamping, authentication, and authentication veri- current time from the clock 716 is appended to the hash, and 

fication as well as for the encryption and decryption of the encryption device is used to compute a digital signature 

stored data. The device 700 comprises a microprocessor 708 25 of the hash and appended time using the authentication 

to control the overall system under the control of a program private key 726. The hash, time, and digital signature are 

stored in the Read Only Memory (ROM) 710. Communi- returned to the CPU 702. At Uiis point the diary object code 

cation between the elements of the device is carried on via resumes in FIG. 18 or 22 as if steps 536 and 612 had 

a bus 712. Also included in the device is a digital clock 716, proceeded strictiy in the diary software object code, 

powered by a ^^clde-cha^ed^b^^^^^^ can be 30 ^ second use of the authentication/encryption device 700 

acce^d from outside the device °^de^^^^^^ is to encrypt and decrypt all data as it is stored and recovered 

un-interrupted power to the clock 716. The dock 716 ^ set ^^e archive file of FIG. 4. In function 112 of FIG, 1, the 

at the factory and is secured ^g^"^!,^^^? 5.^^^^^^ CPU 702 passes the encrypted file, or a portion thereof, to 

mcludmg the owner of ^^^^^^^^^^^ the device 700 with tiie appropriate decryption instruction to 

periodically runs diagnostic checks on 35 ^ the decrypted data is returned to the 

shuts down all operations of the device should the d^a^os- O^P ' irfunction 110 of FIG, 1, the 

tics fail. One of these diagnosUcs is to P^^^^;;^^^^^^ data to be stored is passed to tiie device 700 by the CPU 702 

T^Jfl ZhW iMer with the appropriate encryption instruction and the 

memory (RAM), and to check tiiat the current t^me is late r PP P ^P ^^^.^^ ^^0. 

than the stored tmie. TTae device ^^^^ ^7°^^^^^ 40 ^^^^ decryption being performed using 

722 used bv the microprocessor 708 and an encryption »^ jy - Lu •» :Z 

' , "=»^u . , , , f , . c 'Z^r.^. the diary object code as m the previous embodiment, it is 

Sd b tiem P^^f°"°^d authentication/encryption device 700. 

^e eniptrn device 724 is capable of computing digital . .When daU is received by ^J^^^.^l^^^^^^ 

signaturesYnd of encrypting and decrypting data. It contains 45 ^ P^t^f,^ ^ T VL^a t^^Zt^^^^^ 

w^in it in a secure and tamper-proof mamier the RSA encrypted by the encrypUon de^ace 724 usmg ^ 

authentication private key 726 and/or the DES encryption encryption key 728 and then the encrypted data is passed 

key 728 which have been discussed previously. The manu- back to the CPU 702 by the mput/output 736. DecrypUon is 

facturer's password 730, which has also been discussed perfomied in a simdar manner. 

previously, is stored in tiie embodiment of FIG. 24 in the 50 The tiiird and final function of the authentication/ 

non-volatile RAM 720 and thus is not encrypted and stored encryption device 700 is to perform authentication on data 

in the object code of the diary program as in the previous submitted to it. In this case the public key auOientication step 

embodiment in FIG. 3 at 168. Thus tiie diary program object 610 of FIG. 22 which has been discussed above is performed 

code 704 does not contain any portion of object code to within the device 700 instead of wiUiin tiie diary software, 

decrypt and replace those data in the object code (see 166 in 55 The autiientication is performed using the public key of the 

pjG 3) private key-public key pair. The signature, decrypted using 

The option of invalidating the manufacturer's password in the pubhc key, is returned to the CPU 702 where it may be 

this embodiment is allowed to be a valid command to the compared to the stored time-stamped hash. The pubhc key 

encryption/decryption device 700 so long as the master is stored within the encryption device 724 for convemence 

password has been input to the device. The same procedure eo even though it is not secret and could be input with the daU 

may be followed as in the software embodiment except that itself. 

in tills case the replacement of the original manufacturer's At this point we remark that there are metiiods of authen- 

password takes place in the encryption device; the manu- tication which have only a single secret key, so called secret 

facturer's password and its replacement are placed in non- key methods. In this case the time-stamped text with the 

volatile RAM 720 in the encryption device. 65 digital signature for which verification of the authentication 

Hpy jiix^ 700 accepts data from tiie CPU 702 via a is desired is input to tiic secret-key encryption/authentication 

communications port 732 which passes tiirough a physical device 700 and a new digital signature is computed on tiie 
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time stamped text without the current date being appended. and controller 752. conn ected through a second I/O port 754 

Then the new digital signature is compared internally to the to an I/O device 756. Injhe device 75 0 the seal 734 en doses 

original digital signature and if they are the same a confir- aEo the disk-drive andcontroiier t o pr event physical 

mation signal is emitted to the CPU. In this approach the a ccess to the arcnivai mes^ of~"b iLi. "47^ in^ e 

newly computed signature cannot be returned to the CPU to 5 a uthentication/encryption device 700 of FI G. 25, the mi cro- 

check authentication by comparison with the existing sig- processor 708 also cxa rnine s all commands from the C PU 

nature since, if this were done the user of the device could 702^ data to ensure that the y ^^^^^^^^^ 

falsify an authentication by submitting data with a realistic comnian ds stored m KOM 710. A record"'is kepTin non- 

but falsified time-stamp and thus obtain the digital signature volatilc^TONTT^'tfof locations on the hard"disk where the 

appropriate to any date without knowing the secret key. So reference data 226, FIG. 4. previously written are located. A 

in this case the device 700 follows the secret or non-public command to write to these locations is not permitted. (Of 

key path procedure outlined in FIG. 22, The device 700 course, should the disk be a WORM optical disk instead of 

internally computes the digital signature (612 of FIG. 22) of a magnetic disk, as in this embodiment, it would be unnec- 

the time-stamped hash and then internally compares (step e ^ry to include tbis-cestrictionj ^ 

614 of FIG. 22) to the input signature. If they are identical ■ To further enhance the security of the embodiment iising 

the device 700 returns a confirmation signal to the CPU 702. the secure archival memory system in FIG. 25, the software 

If they are not identical a non-confirmation signal is returned code which examines retrieved text to ensure that only data 

but not the calculated signature itself. This same procedure with the proper passwords are available to user (discussed 

would be followed if a secret key authentication method above in connection with retrieval step 580 in FIG. 21) is 

were used in the software only embodiment. replaced with similar code in the ROM 710 and used to 

In a variation of the secret or non-public authentication delete data returned from the disk which is in compartments 

approach a second nearly identical encryption/ for which passwords have not been received from the CPU 

authentication device (not shown) with the same secret key 702. Tliis ensures that such data never leav^ the protected 

but without the capability to output a signature could per- and secure archival memory device consisting of the disk 

form the same verification of authentication without the ^5 drive and controller 752 together with the authentication/ 

verifier being able to falsify the document after he has encryption device 750 within the physical seal 734, unless 

received it. Note that the second device need not have a the appropriate passwords have been input. The code dis- 

real-time clock 716, nor its battery 718, nor need it have an cussed in reference to step 580 in FIG. 21 is thus transferred 

encryption capability except as required to compute the . from the diary object code of FIG. 3 to the ROM 710 in the 

digital signature. We may term these second devices secret 30 embodiment in which the secure archival memory device is 

verification devices. Obviously these devices will be sub- used. 

stantially cheaper and more robust than the complete Also, since the device 750 protects the data from those 

encryption/authentication devices. Distribution of as many who do not have knowledge of the passwords, and also 

copies as desired of these secret verification boxes to all protects the reference data from alteration even by the- 

those who need to verify authentication of messages authen- 35 diarist, it is no longer necessary to encrypt the data or th^ 

ticated by the first secret encryption/authentication device index before it is archived; and correspondingly no longer ^ 

would provide many of the benefits of a public key authen- necessary to decrypt it upon retrieval. So these functions of 

tication system. Of course the security of such a system rests the software and hardware which have previously been 

ontheabilityof the physical seal 735 and the electronic seals discussed can be removed from the diary software and 

or safeguards to protect the private key 726 which, in the 4Q hardware, 

case of the use of a secret key would likely not be an RSA xhe a bove described software and/or hardware forming a 

key. Such a second private verification device could also be p ersonal computer diary is designed to be incorporated in 

routinely given to a third party to be used in case there were an y conventional computer including conventional pe rsonal 

questions about the authenticity of some diary reference data desktop, laptop and notebook computers. A dd itionallyth e 

which had been output. So long as the seals could be seen 45 disclos ed personal coinputer diary can be incorporated in a 

to be untampered with it would not be necessary to trust the special purpose personal com puter similar to a conventiona l 

third party. notebook computer. Put umited to use as a personal diary 

The use of the hardware authentication/encryption device with seals enclosing the clock, d isk or other permanen t 

700, FIG. 24, ensures that the lime of a diary entry cannot st orage, encryph6tt ^iiuuitry, jjiid iuptr^tput circui taLjSfi^ 

be falsified either by resetting the system clock in the CPU 50 special purpose diarv computer can he provided with huilt-ia 

702, nor by using advanced computer engineering methods p uEIic/priv ^t^ ^'•y *^"ift. .stampin g and/or en cryption facili- 

to determine the secret keys and password 168, FIG. 3, in the ties. 

object code and using them to access and/or change the -TQtematively, the archival data storage device 750 may be 

passwords and data in the archive files. operated as an authentication device in accordance with the 

There still remains the possibility that the complete 55 disclosure of previous Sen No. 07/637,675 when a request 

archive files can be erased by use of another program. for authenticated time is detected. The microprocessor 708 

Someone with access to the encryption key, or to the inputs a 64 bit random number supplied by the user (CPU 

encryption device 700, but not the passwords could read the 702), the correct time is retrieved from the real-time clock 

data even if they could not falsify it. These possibilities can 716 and appended to the random number, an authentication 

be prevented by means of the secure archival data storage eo device ID is appended, and a digital encrypted authentica- 

device 750 in FIG, 25. This device 750 is in many ways tion code is computed on the combination. Then the random 

identical to the device 700 in FIG. 24. The time-stamping number, time, ID, and encrypted authentication code are 

and authentication capabilities discussed in connection with presented for output to the I/O circuit 736 under the control 

FIG. 24 are also available and implemented in a similar way of the microprocessor 708. To use this device to ensure that 

in the secure archival data storage device. 65 a computer could not be booted with incorrect time, a critical 

However, the device 750 differs in that it includes a n element of the computer, such as the CPU, would be sealed 

flmhival storape niedium, suc Las a high capacity diskjJnve, (not shown), using means such as discussed above, with the 
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public key and a random number generator which generates 
a different 64-bit number as an authentication signal each 
time it is called by using a secret key to encrypt a number 
which is incremented with each boot and which is stored in 
non-volatile RAM. Upon booting, the CPU would generate 5 
the 64-bit random number and send it to the authentication 
device. Only if a signature was returned verifying the 
random number which the authentication device added to its 
ID before the encrypted authentication code was computed, 
and the expected authentication device ID, would the lo 
returned time, checked to be later than the previous stop 
time, be used to set the computer system clock. Otherwise 
the CPU would refuse to boot 

Note that if a user (CPU 702) appends consecutive 
sequence numbers to the text of each document that the user 15 
requests to be authenticated and which the user then places 
in a particular file, then it will be possible for a verifier to 
check if the documents have been removed from the file 
simply by looking for numbers missing in the sequence. 
Because of the authentication of the sequence number and 20 
date it would be impossible, even for the owner, to erase a 
document and then adjust the subsequent sequence numbers 
in the file without also changing all the dates. Similarly a 
document could not be changed without also changing the 
date to a later date, which may well have to be later than that 25 
on the following docimient in the file. 

It could also be useful, for the authentication device 750 
itself to append and authenticate its own sequence number to 
each document. This could be useful in cases where a single 
user did not append his own sequence number It could also ^ 
be useful if there were only a few users of the notary so that 
a docimaent could be found to be missing from one user's 
files by examination of the files of all the other users. The 
microprocessor 708 in the authentication device computes 
and supplies the authentication device sequence number. 

Since many modifications, variations and changes in 
detail can be made to the above described embodiments 
without departing from the scope and spirit of the invention, 
it is intended that the above description and the accompa- ^ 
nying drawings be interpreted as only illtistrative and not in 
a limiting sense. 

What is claimed is: 

1. A device for time -stamping and storing input data 
comprising: 
a clock; 

a tamper-proof permanent data storage device; 
input/output means including port means for receiving 

and transmitting digital signals; 
a digital bus cormected to the input/output means and the 50 

clock; 

controller means connected to the bus for controlling 
operation of said input/output means and said clock to 
receive input data and requests for time-stamping and 
storing the input data appUcd to the port means of said 55 
input/output means, to read time data from the clock, to 
combine the input data with said time data to create a 
tamper-proof real-time stamp, and to transmit the timc- 
stampcd data to the tampcr-proof permanent data stor- 
age device; and 60 

seal means enclosing said clock, said input/output means, 
said digital bus, said tamper-proof permanent data 
storage device, and said controller means to prevent 
access to said clock, said controller means, said tamper- 
proof permanent data storage device, and said input/ 65 
output means except via the port means of said input/ 
output means. 
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2. A device as claimed in claim 1 including encryption 
means with a secret key; and wherein said controller means 
includes means to operate the encryption means to compute 
and store an encrypted time stamp authentication code from 
the combined input data and time data. 

3. A device as claimed in claim 1 wherein said controller 
means further comprises computer means for ensuring that 
the real-time clock is not reset to a time predating the last 
stored time-stamped data. 

4. A device as claimed in claim 1 further comprising 
means for preventing the clock from being reset. 

5. A device as claimed in claim 1 wherein said tamper- 
proof permanent storage includes software means for pre- 
venting alteration of the time-stamped data. 

6. A device as claimed in claim 1 wherein said tamper- 
proof permanent storage includes a data storage device for 
receiving and storing the time-stamped data; an input/output 
device for supplying and retrieving data to and from the 
storage device; and means for preventing operation of the 
input/output device to write over stored time-stamped data. 

7. A device as claimed in claim 1 further comprising 
means for acquiring authenticated time from a source of 
authenticated time and for setting said clock to said authen- 
ticated time. 

8. A device as claimed in claim 7 further comprising 
means for preventing the clock from being reset other than 
to time from a source of authenticated time. 

9. A device for time -stamping and storing input data 
comprising; 

a clock; 

a tamper-proof permanent data storage device; 
input/output means including port means for receiving 

and transmitting digital signals; 
a digital bus connected to the input/output means and the 

clock; 

controller means connected to the bus for controlling 
operation of said input/output means and said clock to 
receive input data and requests for time-stamping and 
storing the input data applied to the port means of said 
input/output means, to read time data from the clock, to 
combine the input data with said time data to create a 
tamper-proof real-time stamp, and to transmit the time- 
stamped data to the tamper-proof permanent data stor- 
age device; and 

seal means enclosing said clock, said input/output means, 
said digital bus, and said controller means to prevent 
access to said clock, said controller means, said digital 
bus and said input/output means except via the port 
means of said input/output means. 

10. A device as claimed in claim 9 including encryption 
means with a secret key; and wherein said controller means 
includes means to operate the encryption means to compute 
and store an encrypted time stamp authentication code from 
the combined input data and time data. 

11. A device as claimed in claim 9 wherein said controller 
means further comprises computer means for ensuring that 
the real-time clock is not reset to a time predating the last 
stored time-stamped data. 

12. A device as claimed in claim 9 further comprising 
means for preventing the clock from being reset. 

13. A device as claimed in claim 9 wherein said tamper- 
proof permanent storage includes software means for pre- 
venting alteration of the time-stamped data. 

14. A device as claimed in claim 9 wherein said tamper- 
proof permanent storage includes a data storage device for 
receiving and storing the time-stamped data; an input/output 
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device for supplying and retrieving data to and from the 
storage device; and means for preventing operation of the 
input^output device to write over stored time-stamped data. 

15. A device as claimed in claim 9 further comprising 
means for acquiring auttienticated time from a source of 
authenticated time and for setting said clock to said authen- 
ticated time. 

16. A device as claimed in claim 15 further comprising 
means for preventing the clock from being reset other than 
to time from a source of authenticated time. 

17. A device for time-stamping and storing input data 
comprising: 

means for acquiring authenticated time; 

a tamper-proof permanent storage device; 

input/output means including port means for receiving 
and transmitting digital signals; 

a digital bus connected to the input/output means; 

controller means connected to the bus for controlling 
operation of said input/output means and said means 20 
for acquiring authenticated time to receive input data 
and requests for time-stamping and storing the input 
data applied to the port means of said input/output 
means to obtain time data from the means for acquiring 
authenticated time, to combine the input data with said 25 
time data to create a tamper-proof real-time stamp, and 
to transmit the time-stamped data to the tamper-proof 
permanent data storage device; and 

seal means enclosing said means for acquiring authenti- 
cated time, said input/output means, said digital bus, 
said tamper-proof permanent data storage device, and 
said controller means to prevent access to said means 
for acquiring authenticated time, said controller means, 
said tamper-proof permanent data storage device, said 
digital bus and said input/output means except via the 
port means of said input/output means. 

18. A device as claimed in claim 17 including encryption 
means with a secret key; and wherein said controller means 
includes means to operate the encryption means to compute 
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device for supplying and retrieving data to and from the 
storage device; and means for preventing operation of the 
input/output device to write over stored time-stamped data. 

21. A device for archiving input data comprising: 
means for supplying a sequence number; 

a tamper-proof permanent data storage device; 
input/output means including port means for receiving 

and transmitting digital signals; 
a clock; 

a digital bus connected to the input/output means; 

controller means connected to the bus for controlling 
operation of said input/output means to receive input 
data and requests for sequencing and storing the input 
data applied to the port means of said input/output 
means, for receiving said sequence number from the 
sequence number supplying means, for receiving a date 
from said clock, for combining the input data with said 
sequence number to create a tamper-proof sequence 
stamp, and for transmitting the tamper-proof sequence 
stamp and the date from said clock, to the tampcr-proof 
permanent data storage device; and 

seal means enclosing said sequence number supplying 
means, said input/output means, said digital bus, said 
tamper-proof permanent data storage device, and said 
controller means to prevent access to said sequence 
number supplying means, said controller means, said 
tamper-proof permanent data storage device, said digi- 
tal bus and said input/output means except via the port 
means of said input/output means. 

22. A device as claimed in claim 21 including encryption 
means with a secret key; and wherein said controller means 
includes means to operate the encryption means to compute 
and store an encrypted sequence number authentication code 
from the combined input data and sequence number. 

23. A device as claimed in claim 21 wherein said tamper- 
ptoof permanent storage includes software means for pre- 
venting alteration of the sequence number stamped data. 

24. A device as claimed in claim 21 wherein said tamper- 



and store an encrypted time stamp authentication code from 40 proof permanent storage includes a data storage device for 



the combined input data and time data. 

19. A device as claimed in claim 17 wherein said tampcr- 
proof permanent storage includes software means for pre- 
venting alteration of the time-stamped data. 

20. A device as claimed in claim 17 wherein said tamper- 
proof permanent storage includes a data storage device for 
receiving and staring the time-stamped data; an input/output 
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receiving and storing the sequence number stamped data; an 
input/output device for supplying and retrieving data to and 
from the storage device; and means for preventing operation 
of the input/output device to write over stored sequence 
number stamped data. 
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[57] ABSTRACT 

A computer diary archives a diary entry by creating, 
time stamping, authenticating and permanently storing 
a reference data block along with each diary entry. An 
archived diary entry can only be modified by placing 
original text within compartment codes, such as cross- 
out or tear-out codes, and by placing inserted text 
within insertion codes so that the original diary entry 
can be recreated from the modified diary entry. The 
reference data block, which can be the original diary 
entry, a canonical version of the original diary entry, or 
a one way fixed length encryption (hash) of the original 
diary entry, cannot be modified and is used to authenti- 
cate the original diary entry. 

The diary program also monitors text entry for aliases 
and relative date phrases, and upon detection, prompts 
the user for entry or enters a specific identifier for each 
detected alias in an alias compartment or an absolute 
date for each relative date phrase in an implied date 
compartment in the diary entry. 
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1 2 

(WORM) record containing the origiiial data, a stripped 
PERSONAL COMPUTER DIARY version of the original data, or a hash signature of the 

original data together with the present date. Modifica- 
CROSS-REFERENCE TO RELATED tions to the working data blocks are made so that the 

•APPLICATIONS 5 modifications can be identified and removed or restored 

This apphcation is a continuation-in-part of copend- t<> recreate the corresponding original data block. The 
ing U.S. patent application Ser. No. 07/637,675 filed authenticity of the original data with its original entry 
Jan- 7, 1991, for DEVICES TO (1) SUPPLY AU- date can be readily determined along with the subse- 
THENTICATED TIME AND (2) TIME STAMP quent modifications to the original data block. 
AND AUTHENTICATE DIGITAL DOCU- In a second aspect, the invention is summarized in a 
MENTS, now U.S. Pat No: 5,189,700, which in turn is computer diary wherein storage of an original diary 
a continuation-in-part of copending U.S. patent applica- entry along with the present date is prohibited when the 
tion Ser. No. 07/375,502 filed Jul. 5. 1989 for AN AR- present date is before the date of the previously stored 
CfflVAL, SECURE DIGITAL MEMORY SYS- diary entry. 

TEM, now abandoned; these apphcations No. in a third aspect, the invention is summarized in a 
07/637,675 and No. 07/375,502 are hereby incorporated computer diary wherein the forming and editing of 
herein in their entirety by reference, ^ includes monitoring the input of diary 

TECHNICAL FIELD entries to identify entry of selected text entries or aliases 

_ . . ^ , . J ^ nf\ having corresponding lists of one or more previously 

The present invention relates to archived record 2° .^ored specific identifying terms, displaying die one or 
keeping systems, such as a diary, for computers. J^^^ terms oo^esponding to the entered se- 

BACKOROUND ART lected text entry to enable the diarist to identify a cor- 

For hundreds of years artists, writers. poUticians. and ?f ™ P'"*'^ '^'^^'^^ ^ ^ 

private persons have kept dairies. The diaries have gen- ^5 ™ oiaty enwy. ... 
endly been hand-written in a bound notebook on con- ^ ^ ^^'^ invention is summarized in a 

secutive pages on which the date is either pre-recorded computer diary whercm the entry of diary entnes for 
or is entered by the diarist as the entries are made. corresponding diary dates is momtored for the mput 

This traditional method of keeping a diary has several relational date entries, and the diary includes formulas 
useful features for the diarist and for subsequent readers. 30 computing absolute dates corresponding to the iden- 
The diarist cannot easily go back and alter what he has tified selected relational date entries so that the com- 
written. Thus the diary is more likely a truer record of puted absolute dates can be placed in the diary entry, 
what the diarist actually thought at the time. The diary It is an object of this invention to supply a computer 
is "time stamped." The diarist may ink out or tear out diary system which will not only have the distinctive 
pages, but it is clear to future readers that this has been 3S and useful features of a traditional diary, but also have 
done; the existence of an original record is apparent many of the useful features which are attainable only 
along with its mutilation to indicate the intent of the through the aid of modern computers, 
mutilator to destroy a particular entry. Another object of the invention is a diary which is to 

Only a proportionally small amount of text can be be kept generally proof against a casual attack by a 
inserted at a later date, and this can possibly be detected 40 typical user and can be implemented using software, 
by changes in ink or slight changes in handwriting, or Such a system need not necessarily be secure against a 
by the fact that the additions have been written in the determined attack by a computer system professional or 
margin. To the degree that these changes can be de- \yy ^ dedicated "diary tampering" program written by 
tected the diary is tamperproof. g^ch a professional. 

Any reader of the diary can be sure by the handwrit- 45 ^ further object of the invention is a computer diary 
mg of the idenuty of the perK)n who wrote the diary; ^^^^ processing, text time-stamping and authenti- 

Aat IS, the diary caji be verified to be authenUc. The ^^^^ archiving, and selective access to differ- 

du^may be lockedaway so that it is private. "compartments", of the diary. 

Attempts have been made to provide a computer c^e feature of the present invention is the possibUity 
diary. Many such dianes are busmess oriented, designed 50 ^ ^ d^gn^te segments of text >^th begin- 
to serve as remmders and not as permanent records. . u«ii«>t ««»i^iia«= ac^mciiw "^s^ 

The Tandy corporation has Lrketed a software "^f agmfymg different compart- 

product named "My Personal Diary" which aUows the fj^'' "^^^"^ ^'^"^ ""^^^ may belong to 

user to type into the dated unage of a page of a diary. f ^^^^ ^^^"^^ compartments, each compartment can 
Although the software controls access to the diary 55 password, and exammation of the <hary 

pages by use of passwords, it is possible for anyone with <^ ^« selectively restocted to users with knowledge of 
access to use the software to turn to any date in this appropriate set of passwords for the compartments 

diary, past, present, or future, and to delete and enter interest to them. 

data at will. This is very unlike a real personal diary in Advantages of the invention include that the diarist 
that there is no way to determine if an entry for any date 60 control access to the diary, that the diarist, even 
was written at any time close to that date or was written though he is the owner of the system, caimot alter, 
or changed months or years later. change the date of, or erase data which is tnne-stamped, 

authenticated, and already stored. 
SUMMARY OF INVENTION Another feature of the invention is the provision of 

In a first aspect, the present invention is summarized 65 the capability to **tear-out" a limited amount of data per 
in a computer system for archiving data blocks wherdn day by putting text into a tear-out compartment with a 
a modifiable or working version of an original data password which cannot be extracted from the computer 
block is stored along with a write-once read-many diary by anyone, including the diarist The diarist may. 
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however, choose to ke^ a record of the tear-out pass- FIG. 19 is a flow diagram of a second portion of the 

word outside the computer diary if he so desires. archive/save procedure of the computer diary of FIG. 

In a further aspect of the invention the diarist can 1. 

enter a fimited amount of annotation data to previous FIG. 20 is a flow diagram of a text strippmg proce- 

dates, and if desired by the diarist, such additions can be 5 dure used in the archive and restore procedure of FIG. 

seen on display to be clearly distinct from data truly 18. 

entered on that date by placing the annotation data in its FIG. 21 is a flow diagram of a search procedure used 

own compartment with its own display defaults; the in the computer diary of FIG. 1. 

system ensures that the diarist is never able use the FIG. 22 is a flow diagram of an authentication proce- 

annotation capability to falsify the initial data to any 10 dure used in the computer diary of FIG. 1. 

person in possession of aD the required passwords. FIG. 23 is a flow diagram of an exit procedure used m 

In a still further feature, the diary program ensures the computer diary of FIG. 1. 

that data is never time-stamped with a date different FIG. 24 is a block diagram of a computer system with 

from that of the current clock, nor with a time earUer hardware elements which can, altemativeiy. be used to 

than the most recent previous time a record was stored 15 perform some of the functions of the software embodi- 

in the diary, «ient of FIGS. 1-23 with greatly enhanced security. 

FIG. 25 is a block diagram of a second computer 

BRIEF DESCRIFnON OF DRAWINGS ^y^^^^ hardware elements which can. altema- 

FIG. 1 is a general block diagram of major proce- tivcly. be used to perform some of the functions of the 

dures included in one embodiment of a computer diary 20 software embodiment of FIGS, 1-23 wiA still greater 

in accordance with the invention: enhanced security. 

FIG. 2 is a flow diagram of initial procedures during DESCRIITION OF THE PREFERRED 

startup of the computer diary of FIG. 1. EMBODIMENTS 

FIG, 3 is a general diagram of object code used in the 

computer diary of FIG. 1. 25 As shown in FIG. 1, a computer diary in accordance 

FIG. 4 is a general diagram of contents of a diary file with the invention includes a word processing core 102 

produced and stored by the computer diary of FIG. 1. along with an archive function 104 by means of which 

FIG 5 is a flow diagram of a clock checking proce- a user can time stamp and store a diary entry. The word 

dure used in the initial procedures of FIG. 2. processing function 102 can only edit or modify an 

FIG 6 is a flow diagram of a setup procedure of the 30 archived diary entry by marking archived diary text or 

computer diary of FIG. 1. by inserting marked text or other data so that the origi- 

FIG 7 is a view of a computer display screen pro- nal archived diary entry can be reconstructed. Authen- 

duced in the setup procedure of FIG. 6. tication by function lOd is by comparing the re^on- 

FIG. 8 is a view of a computer display screen pro- structed text with a wnte-once read-many (WORM) 

duced in a main diary entry and editing procedure of 35 version of the original diary enUy or by comparing an 

pjQ 1^ encrypted hash signature of the reconstructed text and 

FIG. 9 is a table of built-in relative date phrases with original date with a WORM hash signature of the origi- 

corresponding reference dates and references to formu- nal time stamped entry. Preferably the program m- 

las for computing absolute dates from the relative date eludes encryption 110 and decryption 112 with storage 

phrases for use in the procedure of FIG. 17. 40 input/output 114 (for example magnetic disk mput/out- 

FIG. 10 is a table of user created relative date phrases put) of diary entries and vanous file parameters. The 

with corresponding references to formulas for comput- user can save an incomplete diary entry with save fimc- 

ing absolute dates from the relative date phrases similar don 116. without dme stamping and archiving, for later 

to FIG. 9 but which can be created during the setup recall and completion, but such incomplete diary entry 

procedure of FIG. 6. 45 is not accorded a time stamp. 

FIG 11 is a flow chart of one possible formula for The diary program begins with the mitiahzadon mod- 

compudng absolute dates from relative date phrases ule 120 after which the user selects a file in function m. 

referred to in the tables of FIGS. 9 and 10. The first time user of the diary selects a new file name 

FIG. 12 is a table of built-in generic terms or abas which results in the program at 124 branching to a file 

words used in the computer diary program of FIG. 1. 50 setup function at 126. In file setup 126. the user enters 

FIG. 13 is a table of user generated generic terms or several optional file parameters including a master pass- 
alias words used in the computer program of FIG. 1. word. The user can also designate user compartments 

FIG. 14 is an example of an unique alias identifier or text markers with associated passwords for permit- 
table containing lists of specific terms which can be ting others limited access to the diary file, 
selected to specifically identify aliases in the tables of 55 When a stored file is selected, the program branches 
FIGS. 12 and 13. at 124 to a function 130 where several file parameters 

FIG. 15 is a general block diagram of some diary previously created in setup 126, including tiie master 

entry and editing functions of the computer diary of password and any user compartment passwords are 

pjQ I input from the file via the input/output 114. If the user 

FIG. 16 is a flow diagram of computer procedures to 60 correctiy enters a master password at 130, then die 

control selection ofappropriate permitted procedures in program proceeds to the word processing and user 

the diagram of FIG. 15. interface 102 with fuU read/write access to diary entries 

FIG. 17 is a flow diagram of relative date phrase in the file granted at 132. The master fimction 132 deter- 

monitoring and generic phrase monitoring procedures mines the existence of any previously saved but non- 

in the computer diary of FIG. 1. 65 archived diary entry and inputs any such entry for dis- 

FIG. 18 is a flow diagram of a first portion of an play by the word processor user interface 102. In the 

archive/save procedure of the computer diary of FIG. absence of an uncompleted diary entry, the user inter- 

I face is set for the user to enter a new diary entry. 
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If the user fails to enter the master password at 130, determine the display of built-in compartments or 
the user is queried to enter any user compartment pass- marked text such as cross-outs, inserts, implied dates, 
words. Correct entry of one or more user compartment implied alias, eta; user alias tables 220; user date tables 
passwords results in the granting of limited read-only 222; diary entry sections 224 for each archived diary 
access at 134. The limited user is only permitted to input 5 entry including reference or WORM data 226 and 
via storage input/output 114 those compartments (text working or read/write data 228 with archive flag 229; 
previously marked by the master diarist) associated an index file 230 of all the working data including all 
withcorrecdy entered passwords. Also the limited user text words (except for defmed trash words like "a", 
is permitted to search and retrieve 136, print 138, and to "the" "and", "or**, etc.), implied dates, implied alias 
import and export 140 from and to an external text or 10 terms, and compartment or text marking codes; and an 
data file. Other diary and word processing functions index file 232 of the diary entry sections 224 with their 
such as archive 104, storage output through input/out- archive date of entry. 

put 114, save 116, setup 126, and other text editmg and Referring back to 'FIG. 2, the program in step 240 
modification functions are n6t permitted to the limited recalculates the checksum of the file and compares this 
user. 15 checksum number with the checksum number 196 

Failure to enter any correct password in procedure stored m the file. If these checksum numbers are equal, 
142 results m access denied 142 and return to master the program branches to step 242 where a checksum 
password query. flag is set true (T); otherwise the checksum flag is set 

The program includes monitoring procedures 144 false (F) in step 244 indicating that the stored file has 
and 146 for relative date phrases such as today, tomor- 20 been corrupted by use of some other program. A warn- 
row, yesterday, last Sunday, etc., and for alias words ing is issued if the checksum flag is F because the diary 
such as pronouns like he, she, we, they, or user identi- program will not permit further archiving to this ar- 
fied non-specific names or aliases such as furst names like chive file. In this case the diarist may choose to access 
Bin, Susan, etc. When entry of a relative date phrase or a backup copy of the archive file in hopes that it will 
an alias is detected, the program suggests insertion of a 25 pass the checksum test 

specific term, such as the precise date, or selection of a The user is requested in step 248 to enter a master 
term from a table of terms such as full names of the password which is compared to the master password 
possible aliases. Tables of relative date phrases, alias 214 read from the file of FIG. 4. If they do not match, 
words, date formulas and specific terms, can be edited then the user is given the opportunity to enter a manu- 
and created in procedures 148 and 150. Alternatively, 30 facturcr's password in step 250. The manufacturer's 
the diarist can elect not to insert the absolute date or the password b revealed to the user when the user calls the 
specific term. manufacturer and is properly identified (for example, by 

A user with master access options after electing exit giving the maiden name of the user's mother as written 
function 152 is offered options to archive or save a diary by the program purchaser on the user Ucensee registra- 
entry if it was not previously archived or saved. 35 tion card). Thus should the registered user forget the 

In the initialize procedure 120 as illustrated in more master password, full access can be obtained by calling 
detail in FIG. 2, the program is first loaded in step 160 the manufacturer. Master access is granted in step 252 
and then sensitive program elements in the program are when either step 248 or 250 are true, 
decrypted in step 162. FIG. 3 shows the structure of the The diarist may grant limited , access to selected data 
object code in which, immediately after control is 40 or marked text in the file by giving a limited viewer the 
passed to the loaded program at 164, control proceeds compartment password of the corresponding data or 
to decryption code 166 which decrypts sensitive data marked text When the limited viewer fails to enter 
168 which for example includes a secret, private (RSA) cither the master or the manufacturer's password, the 
key, a data encryption (DES) key, and a manufacturer's litnited viewer can enter a compartment password or 
password and places the decrypted data in operating 45 passwords in step 254. If the entered password or pass- 
condition with the rest of the object code. The elements words match one or more compartment passwords 
168 are encrypted with a conventional data encryption recorded in section 216 of the file, then in step 256, 
standard (DES) by the program manufacturer who limited access is granted by setting the master password 
includes the decryption code with its key in the pro- flag to F and a compartment read flag or flags to T for 
gram code 166. The purpose of the encryption of pro- 50 all compartments having the correctly entered pass- 
gram elements 168 is to make it more difficult for some- word or passwords. Failure to enter any correct pass- 
one to falsify authentication or to alter the archive file word results in the step 254 being false and returning to 
by decrypting, altering, and re-encrypting with another step 248. 

program. The program then jumps at 170 to the main When either full or limited access has been granted 
part 172 of the program where in step 122, FIGS. 1 and 35 by either step 252 or step 256, the program performs the 
2, a file is selected. clock check routine 258 which, as shown in FIG. 5, first 

The file structure, shown in FIG. 4, includes a check checks the clock circuit for failures in step 270. If a 
sum 196 which can be produced by conventional sum- conventional computer clock circuit is used, loss of 
ming, cyclic redundancy check, cryptographic secure battery power or other clock malfunction will normally 
hash procedures or the lik^ a check sum flag 198; a 60 indicate a failure, and if a secure dock is employed, 
dock flag 200; the date 204 of the most recent archive; such clock will normally include one or more checking 
the quantity 206 of today's tear-out data together with functions to insure that the clock is operating properly 
today's date 208; the tear-out password 210; tear-out and has not been tampered. If the clock diagnostic 
compartment display data 212 such as whether an tear- check test in step 270 is true, then the dock time is 
out indicator with the number of words in the tear-out 65 compared in step 272 with the . last archive time 204 
section or compartment is displayed; the master pass- recorded in the file of FIG. 4. This step checks for 
word 214; user compartment names, passwords, and changing of the dock tim^ for example the clock cir- 
display data 216; set or default parameters 218 which cuit on most computers can be set to any previous time 
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by the computer setup procedure to attempt to falsify ''DEFAULT' can be changed from default words 
the date of a diary entry. When the clock time is greater while entry of passwords for user created compart- 
than the recorded last archive time then the clock flag ments "PATENT". 'TINANCES". "MOTHER", 
is set to T in step 274. If either step 270 or step 272 are •UNDA", and "THE KTDS" are required when the 
false then the clock flag is set to F in step 276. Referring 5 user creates the compartment 

back to the procedure of FIG. 2, the setting of the clock In the first column 296 are listed the compartment 
flag to F in procedure 258 results in the program boundary codes by which the text segments or compart- 
branching at step 280 to step 282 where the user is ments are marked. The program employs the ASCII 
warned that no further archiving to the file is permitted coding scheme for eight-bit bytes ranging from decimal 
because of the clock failure or incorrect date. 10 32 to decimal 127. and the boundary codes are selected 

In step 284. the program reads the set or default pa- from the remaining codes horn decimal 0 to 3 1 and from 
rameters 218 for the file of FIG. 4 and sets the computer decimal 128 to 255. Codes within these latter two ranges 
display in accordance with the read parameters. The and which are not reserved for compartment boundary 
program then proceeds to the user interface of the word markers can be used for print or display formatting or 
processing program 102. 15 for displaying various foreign and other characters and 

The setup procedure 126 which is called when a new symbols in accordance with one or more of the conven- 
fUe is selected during program startup or can be called tional symbol sets employed in computers and printers, 
from the user interface is shown in FIG. 6. In step 290, The boundary codes for the system compartments are 
the user is given the opportunity to set various system fixed by the program and the program assigns boundary 
and compartment parameters. As illustrated in the dis- 20 codes to user compartments as they are created. In the 
play screen shown in FIG. 7 and used for setting the display, the boundary codes are displayed as reverse 
parameters, there are a variety of "compartments" image characters, or characters with selected back- 
listed in the second column 292 including "CROSS- ground and foreground colors. The boundary codes are 
OUT", "INSERTION", "INSERTION J)ATE", placed at the beginnmg and end of a text segment to 
"ALIAS", "IMPLIED DATE", "TEAR-OUT*. 25 mark that text segment as comprising a compartment; 
"DEFAULT'. » "PATENT*, "FINANCES", for example in FIG. 8 the boundary code for the default 
"MOTHER", "LINDA", and 'THR_KIDS". The compartment " j 0 1 " placed at the beginning of the 
listed "MASTER" and "MANUFACTURER" are not text before "Last" and after "church." to define a seg- 
compartments but are included because of their pass- ment of the text from "Last" through "church." as 
word functions. The first nine listed compartments in- 30 belonging to the "DEFAULT* compartment. It is 
eluding "CROSS-OUT*, "INSERTION", "INSER- noted that compartments can be nested, that is, a com- 
TION—DATE". "ALIAS", "IMPLIED DATE'*, partment can defined for all or a portion of the text 
**TEAR-OUT', and "DEFAULT** are system com- contained within another compartment, 
partments while the last five listed compartments "PA- Referring back to FIG. 7, the fourth column 298 is set 
TENT", "FINANCES**, "MOTHER". "LINDA*', 35 by the user to indicate whether the compartment is to 
and *THE_KIDS" are examples of user created com- be displayed except that the tear-out compartment is 
partments. User compartment names can be changed, normally not available for being displayed as indicated 
added, and deleted in the setup procedure, but modifica- by the word . **none". The tear-out compartment can 
tion of the listed system compartment names is not only be displayed under limited access granted by steps 
permitted. 40 254 and 256 of FIG. 2 after entry of the correct pass- 

In the third column 294, passwords for the various word for the tear-out compartment When the text dis-"" 
compartments are listed, except that the manufacturer's play for a defined compartment is set to "ON" in col- 
password is never available to the user in setup and ^e umn 298. then the text: within that compartment is dis- 
tear-out password is only available during the setup of a played in the word processing screen of FIG. 8 with the 
new file or until changed from a default (a default tear- 43 conesponding compartment boundary codes, and when 
out password such as "PASS** is recognized by the set to "OFF", then neither the text nor boundary mark- 
software for being displayed and changed but any other ers are displayed in the word processing screen even if 
tear-out password can not be displayed or changed). the required passwords have been entered. 
During the setup of a new file the entry of a "MAS- The diarist can select the color of the text displayed 
TER*' password is required. The manufacturer's pass- 50 within in a compartment, where a color computer mon- 
word can be invalidated by depressing the "alt* * and the itor is employed, as shown in column 300 of FIG. 7. 
"i" keys simultaneously while the cursor rests in the Priority of the compartments is set by the diarist in 
manufacturer's password row and column in FIG. 7. column 302. The color actually used, if text is in more 
This causes the manufacturer's password to be replaced than one compartment, is in accordance with the com- 
by the DES encryption of a user-input value using the 55 partment with the highest priority, given m column six 
secret DES key. and the entry in the password colunm 302. If the two nested compartments have equal priori- 
for MANUFACTURER to change from "valid" to ties, the color of the compartment closest to the top of 
"not valid." The program provides no capability to the list is. used. However, the tear-out compartment 
replace the new entry in the manufacturer's password always has the highest. The compartments above the 
location with another value, nor to change the flag from 60 tear-out compartment in FIG. 7 have neither indepen- 
"not valid'* to "valid." These procedures make it impos- dent color nor priority, as indicated by the dashes, since 
sible for the diarist or the manufacturer to know the they are always withhi another compartment, and thus 
new value in the manufacturer's password location by are given the same color and priority as the compart- 
themselves; although it is still possible that in collabora? ment of the text within which they are placed, 
tion they could do so if the diarist retains a record of his 65 The last column 304 in FIG. 7 enables the user to set 
input The passwords for the other listed system com- a missing text indicator in the event that the text display 
partments "CROSS-OUT*, "INSERTION". "INSER- for that compartment is "OFF". For example, the miss- 
TION-DATE'*, "ALIAS", "IMPLIED DATE", and ing text indicator for the TEAR-OUT compartment is 
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"ON" in FIG. 7 and in FIG. 8, text in the tear-out com- toggle 316 cycles through aJl on, all off and the settings 

partment is indicated at 310 by " jT73 j The indica- of column 300. 

tor "T' is the boundary code indicator, see column 296 After modification or creation of the tables of FIGS, 
in FIG. 7, for the tear-out compartment, and the num- 10, 13 and 14 in step 320 of FIG. 6, the program pro- 
ber 73 indicates that 73 words are in the tear-out com- 5 ceeds to step 348 where other parameters of the pro- 
partment. Only for text missing because it has been torn gram are edited. For example, the user can identify a 
out i^ the amount of text (73 words in this case) indicated. particular display card such as Hercules, VGA, etc. and 
A missing text indicator 312 shows that patent compart- can identify a particular printer to be used by the pro- 
ment (code 111) contents are missing. However, there gram. 

is no indication of how much text is missing, ^0 The word processor 102 of FIG. 1 includes a number 

After the compartment parameters have been set and of functions as illustrated in table 360 of FIG. 15 which 

saved by the step 290 in the setup procedure of FIG. 6, can be called by the pointing and clicking by means of 

the program proceeds to the edit/create date and alias a niouse on one of the user interface buttons shown in 

table functions in step 320. A built-m date word phrase ^1^* ^» pressing a cursor movement key, pressing a 

table 322 is shown in FIG. 9; this table is built into the selectai function key, or simultaneously pressmg a Ctrl 

object code and can not be edited by tiie user. The ^} .^^ vath a sdccted function key. The functions 

built-in date phrase table 322 contains common relative {"^^f ^^^5 ^60 are divided mto columns under hm- 

date terms illustrated in column 324 such as "yesterday" ^62 and master aa;^s fiincdo^ 

'last night" *Wrrow". "today", *this morning", 362, and the master access functions ye ft^^ 

•Thanksgiving" "Christmas" etc. together with a possi- ^/^^er non^duyed text 3fi» and archived 

ble referfnce date in column 326 aid a formula hidex ^ As shown m FIG^ 16, the caUmg of a word 

number in column 328. The formula pointed to by each ^'^^'^^^^ P^^^"^ ^ 372 where it is 

. 1 . J I. 'i^o 1 1 * u 1 ♦ J determmed if the master password flag, set m step 252 

formula mdex number 3M c^^ absolute date. ^ ^ J 

for example "25 DEC 992^ for the corres^^^^ ^3 detennines if th; caUed function is one of the fimctions 
relalaye date phrase 324 "last Christmas uang the pres. ^^^^ ^ ^^^^ of 
ent clo^ date and tide reference date 326 when re- ^ 
quired. For example t^^ formula for 'last Chnstoas as ^^^^^ ^ ^ ^^^^^^ ^ 
shown m FIG. 11 first determines m step 332 if the ermitted under limited access the program ignores the 
present month and day-of-month is greater than the 3^ f^^^y^ ^aU and returns to the user interface, 
reference date for the current year, and if so, combmes 3-72 of FIG. 16 is true, the program goes to 
the present year with the reference date in step 334, ^^^^ 3^^ ^^^^^ determined whether the current 
otherwise the previous year is combined with the refer- interest has been previously archived AU text in 
ence date in step 336, Formulas for other relative date ^ diary entry which has not been previously archived is 
phrases can be easily composed by a skilled program- 35 non-archived text Text previously inserted (placed in 
nier- an insertion compartment) in a previously archived 
A user's date word phrase table 222, stored in the file ^jj^ry entry is also non-archived text; only the original 
of FIG, 4, is shown in FIG. 10 and contams date archived text is designated as archived text If step 378 
phrases, reference dates and formula numbers entered ^ program branches to step 380 to perform the 
by the user m step 320 of FIG. 6. Typically this user's 40 corresponding archived function in column 368 of FIG. 
date phrase table contains birthdays and anniversaries 15. otherwise the program branches to step 382 to per- 
of the diarist, relatives and friends and other important fonn the corresponding non-archived function in col- 
dates. The user's date phrase table of FIG. 10 is used in 355 of FIG. 15. 

the same manner as the built-in date phrase table of The word processing functions illustrated in FIG. 15 

FIG. 9. 45 include, beginning at the top row of the table, text dis- 

A built-4n alias word table 340 is shown in FIG. 12, a pjay 384, cursor movement 386, text entry 386, file 
user alias word table 342 is shown in FIG. 13 and a import 390, scrolling text 392, deletion 394, printing 
unique alias identifier table 344 is shown in FIG. 14. The 395^ blocking text functions 398, and exporting to file 
alias table 340 is built into the object code while the 400. It is noted that the listed word processing functions 
tables 342 and 344 are created or modified by the user in so are only exemplary, and that many other word process- 
step 320 of FIG. 6 and stored in the user 'alias table fng functions could be included and/or one or more of 
section 220 of the file of FIG. 4. The built-in alias word the listed functions could be excluded without affecting 
table 340 contains a list of commonly used pronouns, the useabiHty of the diary program, 
such as *'he", "she", "it", etc. and other common terms Text display under limited access is hmited to those 
such as "mother*', **home", etc. The user table 342 of 55 compartments for which the user has entered a correct 
alias words typically contains first names of relatives password. Preferably, when one or more diary entries 
and friends of the diarist The unique alias identifier 224, FIG. 4, are read from the storage file under limited 
table 344 contains each of the alias words of tables 340 access and placed in a working memory buffer, the 
and 342 together with respective lists of specific names program deletes from the buffer all text and data that is 
or terms identified by eac^ of the alias words. 60 not contained in a con^artment to which access is 

In the bottom line of the screen 290 are listed toggles granted. Additionally each diary entry 224 includes 
314, 315 and 316 which can be pointed to and used to both reference data 226 and working data 228; the refer- 
quickly change the display screen if the master pass- ence data is not used in any limited access function and 
word is T. For example, pointing and clicking on text can be deleted from the buffer or not inputted fiom the 
display toggle 314 alternates the display of compart- 65 storage file when only limited access has been granted, 
ments between all displayed and the settings of column When master access has been granted, working . data or 
298. The missing text toggle cycles through all on, all text 228 is displayed according to the display paramc- 
off and the settings of column 304. Similarly the colors ters set in the setup function of FIG. 7; the reference 
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data 226 is never displayed except insofar as the work- in FIG. 8). Text segments placed in a tear-out compart- 
ing data includes reference data or text within displayed ment are not available for display or printing unless the 
compartments. user remembers the tear-out password or has kept a 

The cursor movement functions 386 and the scrolling copy of the tear-out password and in starting the diary 
text functions 392 are generally the same for all dis- 5 program elects not to enter any master or manufacturer 
played text. Cursor movement and scrolling under ei- password but correctly enters the tear-out password at 
ther limited access or master access is only performed in step 254 in FIG. 2. In this manner the tear-out compart- 
displayed text or data. Printing and exporting jfunctions ment resembles in result a diarist tearing out a page or a 
396 and 400 differ between limited access and master portion of a page of a diary; the tear-out and its relative 
access in that under limited access only that text in 10 quantity can be made visible but the contents of the 
compartments for which access has been granted can be tear-out are normally not available, 
printed or exported whereas under master access text in Text blocking 398 is also used to mark a blocked text 
any displayed compartment can be printed or exported, segment in one or more of the user defined compart- 
Printing and exportmg of blocked text in function 398 is ments listed below the default compartment of FIG. 7. 
similarly limited to displayed text or data. 15 Although not illustrated in the drawings, the word 

Any function which involves modification of the processor includes such standard options as blocking 
working data, such as text entry 388, import 390, dele- and marking text for underlining, italics, etc. A block of 
tion 394, and some block functions 398 like block dele- text is highlighted with the mouse or cursor and then a 
tion, copying, moving or text marking is not permitted button is selected resulting in underline, italics, etc. 
under limited access. 20 codes being placed before and after the block of text 

Data modification functions differ between archived The display or printing portion of the word-processing 
text and non-archived text When a diary entry is ar- program detects these codes and displays the text as 
chived, the corresponding reference data 226, FIG. 4. is underlined, italics, etc. usually with the codes hidden, 
produced and stored, and this reference data cannot be An option usually exists to either hide or reveal the 
modified or changed by the diary program; editing 25 codes for the bold face, italic, etc. options. Also stan- 
reference data or any other data by a conventional file dard delete options exist to delete normal printing and 
editing program will niiost likely render the file or diary formatting codes as well as compartment codes other 
entry invalid and unusable in the present diary program. than the tear-out compartment codes as desired. System 
However, working data 228 can be modified or compartment codes in non-archived text can also be 
changed in the computer diary program with the provi-' 30 deleted 

sion that if the corresponding diary entry has been pre- Text or data entry is always into one or more (if 
viously archived, the modifications and changes arc nested) of the default and user defined compartments, 
made in a manner that the original archived text or data For example in FIG. 8. the upper seven lines of dis- 
can be recreated from the working data. Thus under the played text are in a default compartment bracketed by 
archived text column 368, text entries 388 and file im- 35 I 0 ! ... 1 0 | . The patent data in line 8 is not in the 
ports 390 are placed in insertion compartments (see the default compartment but is within its own compartment 
text segments bracketed by III ... Ill in HG. 8). [1 ! ... 1 1 I . Line 8 is in a default compartment The 
Under the non-archived text colunm 366, text entries or compartment in which data or text is to be entered is 
imported files arc not marked in insertion segments or selected by pointing and clicking on the compartment 
compartments. Deletions 394 under column 368 of orig- 40 button the top of the screen in FIG. 8 or by pressing 
inal archived text are made by placing the deleted text an appropriately assi^ ed function key or simultaneous 
in a cross-out compartment (sec text segments brack- combination of shift, CTRL or ALT and function key. 
etcdby Ix! ... !x! in FIG. 8) while deletions to Any text not otherwise placed in a user defined com- 
non-archivcd text are made in the usual manner of delet- partment is placed by the program in the default com- 
ing such text from the working word processor buffer. 45 partment. 

Any insertions into insertion compartments that have During text entry or cursor movement, the word 
been made in previously archived original text are rec- processor in functions 144 and 146 of FIG. 1 monitors 
ognized as non-archived text, and further insertions and words at and near the cursor and suggests absolute dates 
deletions in such insertion compartment text are made for relative date phrases and correct unique identifiers 
under column 366 in spite of the fact that the diary entry 50 for aliases. A procedure called by text entry or cursor, 
has been previously archived. movement for performing these functions is illustrated 

In text blocking 398 under tiie archived text colunm in FIG. 17. In step 410 the program determines if a date 
368, deletion of blocked text involves marking the text phrase (phrase matching any of the date phrases listed in 
block in a cross-out con^partment. Copying of blocked the fint columns of the tables of FIGS. 9 and 10).is near 
archived text involves placing the text in an insertion 55 the cursor. If true, then in step 412 it is determined if this 
compartment at the new copy location. Moving of date phrase has been previously detected such as by 
blocked archived text includes both marking the being highlighted. If not, then in step 414 the newly 
blocked text in a cross-out compartment at the old loca- detected date phrase is highlighted (see highlighted text 
tion and marking the blocked text in an insertion com- 430 in FIG. 8) and any previously highlighted date 
partment in the new location. Where copying or mov- 60 phrase is returned to normal. Also in step 414, the abso- 
ing involves archived text at one location and non- lute date for the date phrase is computed using the 
archived text at the other location, such copying or formula pointed to by ]the corresponding formula index 
moving would be include operation under archived number of FIG. 9 or 10 if there is no implied date com- 
column 368 at the one location and opa;ation under partment I ID ! ... I ID i immediately following the 
non-archived column 366 at the second location. 65 phrase. The calculated absolute date or an ahready exist- 

Blocking functions 398 under archived text colunm ing implied absolute date is displayed at 418 in the user 
include the option of marking the blocked text in a interface of FIG. 8, and the user is given the opportu- 
tear-out compartment (see the tear-out marker T73 nity in step 422 of confirming, step 424, or declining the 
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suggested or existing implied date or of entering manu- ing working data section 228 without forming and stor- 
ally another absolute implied date, step 426; as a pro- ing any reference data section 226, and the correspond* 
gram setup option the absolute date may or may not be ing archive flag in the working data will be false. When 
confirmed by default if the user continues to enter text the diary entry has previously been archived, the save 
or move the cursor. In either of steps 424 or 426^ the 5 and archive functions are the same. In step 502 it is 
corresponding implied absolute date is placed in an determined if the master password flag is true; no save 
implied date compartment immediately alter the date or archiving is permitted for a user with limited access, 
phrase. An impUed date indicator i ID ! is not dis* The existence of suitable data is determined in step 504; 
played after the relative date phrase unless the corre- the saving or archiving of an empty diary entry or one 
spending missing text indicator in colimm 304 of FIG. 7 10 without any words or displayable data is generally pro- 
is ON and the implied date itself is not displayed unless hibited. 

the corresponding text display indicator in colunm 298 Next in step 506 the program determines if the data is 
is ON. , to be stripped. GeneraUy all diary entries are to be 

From steps 424 and 426, from step 422 when decline stripped; however if a diary entry consists entirely of 
is chosen, from step 412 if true or from step 410 if false, 15 graphical data then stripping could distort the data to 
the program proceeds to step 436 where the words near the extent that no useable data remains after stripping, 
the cursor are compared to the alias words in the tables The stripping procedure 508 is illustrated in FIG. 20 
of FIGS. 12 and 13. If there is a match then in step 438 and includes step 510 where any text within insertion, 
it is determined if the alias word has been previously insertion date, ahas, and implied date compartments is 
detected such as by being already highlighted. When 20 deleted, step 512 where compartment and formatting 
step 438 is false, the program in step 440 highlights the codes are deleted, and step 514 where consecutive blank 
newly detected ahas word, removes the highlighting spaces are compressed to single blank spaces. This re- 
from the previous alias word if displayed, and displays suits in a canonkal form of the text. A person skilled in 
the corresponding list of specific alias identifier words the arts of compression and encryption will appreciate 
from the tabjie of FIG. 14 at 442 in FIG. 8 if the alias 25 that many other canonical forms are possible, 
word does not have any alias compartment marker Referring back to FIG. 18 in step 520, it is determined 
I A I immediately following the alias word; if the alias if there is an archive flag for the present diary entry, ie. 
word is followed by I A ! the contents of the alias if the present diary entry has been previously archived, 
compartment are displayed at 442. The diarist in step A diary entry can only be archived once, i.e. stored 
444 is given the opportunity to select one of the dis- 30 reference data 226 is WORM data and cannot be 
played specific identifier terms by simiiltaneously press- changed; changes can only be made to the working data 
ing ALT and the number of the identifier term (the 228. When the diary entry has not been previously ar- 
identifier terms can be scrolled if they can not all be chived, the program proceeds to steps 522 and 524 
displayed in the space 442) causing the program in step where the clock and check sum flags, respectively, are 
446 to insert the selection into an alias compartment 35 sensed to insure that the clock is appears to have the 
immediately following the alias word. When an alias correct date and that the file has not previously been 
compartment already exists at step 444, the diarist can corrupted. In step 526 the program determines if the 
simultaneously press ALT and "I" to erase the existing diarist wishes to only save lie diary entry without ar- 
the existing identifier term and call the corresponding chiving, i.e. did the user select save 116, FIG. 1. If false, 
list for display at 442 and selection. Simultaneously 40 the program then in step 530 determines if the present 
pressing ALT and "A" at step 444 causes the program clock date is unlikely, for example more than one week 
to branch to step 448 where the diarist can enter a new past the last archive date. When true, the diarist must 
specific identifier term into the corresponding list in the confirm in step 532 that the date is correct to ensure that 
alias table and into an alias compartment immediately the computer clock is not been set or is not malfunction- 
following the alias word. Pressing ALT and "D" simul- 45 ing to give a date in the distant future which would 
taneously results in no alias identifier term being se- prevent storageof later diary entries with dates prior to 
lected. If the diarist continues to type or move the cur- that future date. 

sor, the program in accordance with a setup defauh In archiving the diary entry, the program at step 534 
option ei^er inserts no alias compartment or selects the appends the real clock time to the stripped text and 
fu*st displayed specific identifier term in step 446, or 50 working data. Then in step 536 a digital signature is 
makes no change if the alias compartment already ex- computed on the time stamped stripped text; the digital 
bts. When a new term is added in step 448, or a selection signature is a one-way encryption of the text and time 
other than the first selection is selected in step 446, the data into a fixed length code that is most highly unlikely 
program in step 450 sorts the corresponding list in the to be reproduced if changes were made in the text or 
alias table by placing the current selection as the first 55 data. This digital signature is appended to the time 
item in the list, and the next closest preceding different stamped stripped text to form the reference data 226 of 
alias identifier term (found in the corresponding list) as the corresponding diary entry. Next in step 538 the 
the second tenn in the list The third location in the archive flag in the working data is set true following 
sorted list, if different from the first two, is the unique which the indexes 230 and 232 and the date 204 of the 
identifier most firequently found in the preceding two 60 most recent archive are updated in step 540. The refer- 
pages of diary entries. The order of any remaining terms ence data 226 and working data 228 are then encrypted 
following the second term remains unchanged. in step 542, the checksum 196 is updated in step 543, and 

The archive/save functions 104 and 116, FIG. 1, are the encrypted reference data working data are stored in 
illustrated in the procedure of FIGS. 18 and 19. The step 544. 

save function 116 allows the diarist to temporarily save 65 If in step 320 of FIG. 18, it is found that, the diary 
a new diary entry that is incomplete without arcl^ving. entry has previously been archived, Le. the archive flag 
When a non-archived diary entry is saved (as contrasted is true, then the program branches to step 550 of FIG. 
with archived) the diary program stores a correspond- 19 where the stripped working data is compared to the 
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Stored reference data. Alternatively where the refer* chived. When the user declines to archive a diary entry 

ence data is only a digital signature, the step 550, FIG. at step 634, the opportunity to call the save ftinction 116 

19» computes the digital signature on the stripped work- is presented in step 636. In any event the program re- 

ing data with appended time stunp (see step 536 of FIG. turns ^o_ the operating system j^^^ 
18) and compares the f esiidting dijptil Mjg^tiir^^ 

stored reference data. Step 550 detects modification of In another embodiment of the digital diary, special 
the original diary entry portion of the text by any pro- hardware shown in FIG. 24 is used. An authentication- 
gram other than the present diary program and when /encryption device 700 is connected to the CPU 702 
such a discrepancy is uncovered produces an error operating diary object code 704, and may be used to 
message and prevents storing the modified working 10 improve the security of the time-stamping, authentica- 
data. tion, and authentication verification as well as for the 
If there is a match in step 550, then the program encryption and decryption of stored data. The device 
proceeds to step 552 where it is determined if there is 700 comprises a microprocessor 708 to control the over- 
sufficient disk storage space to save the file with the ^11 system under the control of a program stored in the 
modified or new working data. Step 552 is also the entry 15 Read Only Memory (ROM) 710. Communication be- 
point for a branch from step 526 when the diarist has twton the elements of the device is carried on via a bus 
selected to save an new diary entry wiAout archiving. included in the device is a digital clock 716, 
In the next step 554 the program determines if the quan- powered by a trickle-charged battery 718 which can be 
tity oftear-out words for today exceed a maximum accessed from outside the device in order to ensure 
limit. Tlie dianst is mhibited from makmg large scale 20 ^n-interrupted power to the clock 716. The clock 716 is 
tcar-outs of major portions of the stored diary entnes by ^^^^ ^ ^ ^^^^^ ^^^^ ^^^^ 
permittmg the dianst to tearK)ut (place m the te^-out including the owner of the device. The micro- 
compartment) only a relaUydy small portion of any 708 periodically runs diagnostic checks on 
large quantity of diary text; the dianst over a penod of ^^^^^ ^ operations of the 
s^eral or many days may tear-out most or all of the 25 ^^^^^ ^^^^^ diagnostics fail. One of these diagnos- 

If the tearK>ut limit is not violated, then the program *^ P'T'^^'^i^ ''''''' ^ 

• . ccT^ J rtl ™" F*ys^«*" portion 720 of a random access memory (RAM), and to 

m step SS6 updates the fde^r-out q« m,^m P ^^^^^ ^ ^ 

558 updates the mdexes 230 and 232, m step 560 en- -th. j • 1 ^ • t -^1 n Ai^t^'^'y ji. 

crypts the working data, in step 561 updates the check- 30 ^he device also contams volatile RAM 722 used by the 

sum 202, and in step 562 stores the working data in ^flT'"'^'*'' "^"^ ^ encryption device 7^ to 

read/write memory such as a magnetic disk. execution of processes directed by 

The search and retrieve procedure 136 is shown in . • . , , ^ 
FIG. 21 and includes step 570 where the user enters one ™t ^?^''yP^°'* device 724 is capable of computing 
or more search parameters such as date, date range, 35 ^S^tal signatures and of encryptmg and decryptmg 
name, key text words, compartment name, and the like. ^^hm it m a secure and tampcrproof 
Next in steps 572 and 574, the program inputs the in- ^^^^ ^he RS A authentiration pnvate key 726 and/or 
dexes 230 and 232 and looks for the search parameter or encryption key 728 which have been discussed 
parameters. When a match is found the con-esponding previously. The manufacturer's password 730, which 
working data block or blocks are input in step 576. In 40 ^^s also been discussed previously, is stored m the em- 
step 578, the program determines if there is only limited bodiment of FIG. 24 in the non-volatile RAM 720 and 
access, and if so, then deletes the non-accessed compart- thus is not encrypted and stored in the object code of 
ments from the inputted daU blocks in step 580; other- the diary program as m the previous embodiment m 
wise, the corresponding reference data block or blocks FIG. 3 at 168. Thus the diary program object code 704 
are input in step 582. 45 contain any portion of object code to decrypt 

The authenticate procedure is shown in detail in FIG. replace those data in the object code (see 166 in 

22 wherein the first step is to input the time-stamped F^G. 3). 

data (working data if reference data consists only of a The option of invalidating the manufacturer's pass- 
signature) and the signature (reference data). If the word in this embodiment is allowed to be a valid com- 
input data is working data text, then the program 50 mand to the encryption/decryption device 700 so long 
branches at 604 to the strip data procedure 508, FIG. 20, as the master password has been input to the device. 
At step 608 the program branches to conventional pub- The same procedure may be followed as in the software 
lie key procedure 610 if the public key procedm-e is used embodiment except that in this case the replacement of 
in au^entication. Otherwise, the program proceeds to the original manufacturer's password takes place in the 
step 612 where the signature is computed from the 55 encryption device; the manufacturer's password and its 
stripped text and appended tiine stamp. This computed replacement are placed in non- volatile RAM 720 in the 
signature is compared to the signature in the archived encryption device. 

reference data and if found identical at step 614 returns The device 700 accepts data from the CPU 702 via a 

a confirmation signal in step 616; otherwise a non-con- conununications port 732 which passes through a physi- 

firmation signal is returned in step 618. 60 cal seal 734 to an I/O port 736 connected to the bus 712. 

As illustrated in FIG. 23, the exit procedure 152, The physical seal prevents access to the circuits and 
FIG. 1, begins with detecting the checksum fiag in step data in the device 700 except through the port 732. The 
630 and the master password flag in step 632. If either microprocessor 708 and the I/O port 736 prevent sd- 
are false (F) then the program returns to the operating zure of control of the data and the device through the 
system. If both the checksum and master flags are true. 65 port 732 on bootup. Once the device is booted the mi- 
then the program at step 634 gives the user the opportu- croprocessor treats all input as data and reissues only 
nity to call the archive function 104 so that any new valid commands related to data authentication. A major 
diary entry that, may have been produced can be ar- function of the physical and electrical security is to 



04/08/2004, EAST Version: 1.4.1 



ensure that the keys and manufacturer's password can 
be kept secret 

In a diary embodunent employing the authenticadon- 
/encryption device 700, the device 700 is used to time- 
stamp and authenticate data in place of using software 5 
algorithms as was accomplished in the previously de- 
scribed software only embodiment at step 536 in FIG. 
18 or step 612 in HG. 22. The data is passed to the 
device 700 through the communications port 732 from 
the CPU 704. The data is stored in the RAM 722. The 10 
encryption device 724 is first used to compute the hash 
of the data. (This hash could alternatively be computed 
in the CPU and it alone be transmitted to the device 700 
instead of transmittmg the complete file and having the 
hash computed there.) Then the current time from the IS 
clock 716 is appended to the hash, and the encryption 
device is used to compute a digital signature of the hash 
and appended time using the authentication private key 
726. The hash, time, and digital signature are returned 
to the CPU 702. At tiiis pomt the diary object code flow 20 
resumes m FIGS. 18 or 22 as if steps 536 and 612 had 
proceeded strictly in the diary software object code. 

A second use of the authentication/encryption device 
700 is to encrypt and decrypt all data as it is stored and 
recovered from the archive file of FIG. 4. In function 25 
112 of FIG. 1, the CPU 702 passes the encrypted file, or 
a portion thereof, to the device 700 with the appropriate 
decryption instruction to decrypt the data, and the de- 
crypted data is returned to the CPU 702 by the device 
700. In function 110 of FIG. 1, the data to be stored is 30 
passed to the device 700 by the CPU 702 with the ap- 
propriate encryption instruction and the encrypted data 
is returned to the CPU 702 by the device 700. Instead of 
encryption and decryption being performed using the 
diary object code as in the previous embodiment, it is 35 
performed in the authentication/encryption device 700. 

When data is received by the device 700 to be en- 
crypted it is passed first by the I/O port 736 to RAM 
722 where it is encrypted by the encryption device 724 
using the secret DBS encryption key 728 and then the 40 
encrypted data is passed back to the CPU 702 by the 
input/output 736. Decryption is performed in a similar 
manner. 

The third and final function of the authentication/en- 
cryption device 700 is to perform authentication on data 45 
submitted to it In this case the public key authentica- 
tion step 610 of FIG. 22 which has been discussed above 
is performed within the device 700 instead of within the 
diary software. The authentication is performed using 
the public key of the private key-public key pair. The 50 
signature, decrypted using the public key, is returned to 
the CPU 702 where it may be compared to the stored 
time^tamped hash< The public key is stored within the 
encryption device 724 for convenience even though it is 
not secret and could be iaput with the data itself. S5 

At this point we remark that there are methods of 
authentication which have only a single secret key, so 
called secret key methods. In this case the time-stamped 
text with the digital signature for which verification of 
the authentication is desired is input to the secret-key 60 
encryption/authentication device 700 and a new digital 
signature is computed on the time stamped text without 
the current date being appended. Then the new digital 
signature is compared internally to the original digital 
signature and if tiiey are the same a confirmation signal 65 
is emitted to the CPU. In this approach the newly com- 
puted signature cannot be returned to the CPU to check 
authentication by comparison with the existing signa- 
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ture since, if this were done the user of the device could 
falsify an authentication by submitting data with a real- 
istic but falsified time-stamp and thus obtain the digital 
signature appropriate to any date without knowing the 
secret key. So in this case the device 700 follows the 
secret or non-public key path procedure outlined in 
FIG. 22. The device 700 internally computes the digital 
signature (612 of FIG. 22) of the time-stamped hash and 
then internally compares (step 614 of FIG. 22) to the 
input signature. If they are identical the device 700 
returns a confirmation signal to the CPU 702. If they are 
not identical a non-confirmation signal is returned but 
not the calculated signature itself. This same procedure 
would be followed if a secret key authentication 
method were used in the software only embodiment 

In a variation of the secret or non-public authentica- 
tion approach a second nearly identical encryption/au- 
thentication device (not shown) with the same secret 
key but without the capabihty to output a signature 
could perform the same verification of authentication 
without the verifier being able to falsify the document 
after he has received it. Note that the second device 
need not have a real-time clock 716, nor its battery 718, 
nor need it have an encryption capability except as 
required to compute the digital signature. We may term 
these second devices secret verification devices. Obvi- 
ously these devices will be substantially cheaper and 
more robust than the complete encryption/authentica- 
tion devices. Distribution of as many copies as desired 
of these secret verification boxes to all those who need 
to verify authentication of messages authenticated by 
the first secret encryption/authentication device would 
provide many of the benefits of a public key authentica- 
tion system. Of course the security of such a system 
rests on the ability of the physical seal 735 and the elec- 
tronic seals or safeguards to protect the private key 726 
which, in the case of the use of a secret key would likely 
not be an RSA key. Such a second private verification 
device could also be routinely given to a third party to 
be used in case there were questions about the authen- 
ticity of some diary reference data which had been 
output So long as the seals could be seen to be untam- 
pered with it would not be necessary to trust the third 
party. 

The use of the hardware authentication/encryption 
device 700, FIG. 24, ensures that the time of a diary 
entry cannot be falsified either by resetting the system 
clock in the CPU 702, nor by using advanced computer 
engineering methods to determine the secret keys and 
password 168, FIG. 3, in the object code and using them 
to access and/or change the passwords and data in the 
archive files. 

There still remains the possibility that the complete 
archive files can be erased by use of another program. 
Someone with access to the encryption key, or to the 
encryption device 700, but not the passwords could 
read the data even if they could not falsify it These 
possibilities can be prevented by means of the secure 
archival data storage device 750 in FIG. 25. This device 
750 is in many ways identical to the device 700 in FIG. 
24. The time-stamping and authentication capabilities 
discussed in connection with FIG. 24 are also available 
and implemented in a similar way in the secure archival 
data storage device. 

However, the device 750 differs in that it includes an 
archival storage medium, such as a high capacity disk 
drive and controller 752, connected through a second 
I/O port 754 to an I/O device 756. In the device 750 the 
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seal 734 encloses also the disk-drive and controller 752 
to prevent physical access to the archival files of FIO. 
4. As b the authentication/encryption device 700 of 
FIG. 25, the microprocessor 708 also examines all com- 
mands from the CPU 702 as data to ensure that they 5 
conform to a list of valid commands stored in ROM 710. 
A record is kept in non-volatile RAM 720 of locations 
on the hard disk where the reference data 226, FIG. 4, 
previously written are located. A command to write to 
these locations is not permitted. (Of course, should the 10 
disk he a WORM optical disk instead of a magnetic disk, 
as in this embodiment, it would be unnecessary to in- 
clude this restriction.) 

To further enhance the security of the embodiment 
using the secure archival memory system in FIG. 25, 15 
the software code which examines retrieved text to 
ensure that only data with the proper passwords are 
available to user (discussed above in connection with 
retrieval step 580 in FIG. 21) is replaced with similar 
code m the ROM 710 and used to delete data returned 20 
from the disk which is in compartments for which pass- 
words have not been received from the CPU 702: This 
ensures that such data never leaves the protected and 
secure archival memory device consisting of the disk 
drive and controller 752 together with the authentica- 25 
tion/encryption device 750 within the physical seal 734, 
unless the appropriate passwords have been input The 
code discussed in reference to step 580 in FIG. 21 is thus 
transferred from the diary object code of FIG. 3 to the 
ROM 710 in the embodiment in which the secure archi- 30 
val memory device is used. 

Also, since the device 750 protects the data from 
those who do not have knowledge of the passwords, 
and also protects the reference data from alteration 
even by the diarist, it is no longer necessary to encrypt 35 
the data or the index before it is archived^ and corre- 
spondingly no longer necessary to decrypt it upon re- 
trieval. So these functions of the software and hardware 
which have previously been discussed can be removed 
from the diary software and hardware. 40 

The above described software and/or hardware 
forming a personal computer diary is designed to be 
incorporated in any conventional computer including 
conventional personal . desktop, laptop and notebook 
computers. Additionally the disclosed personal com- 45 
puter diary can be incorporated in a special purpose 
personal computer similar to a conventional notebook 
computer, but limited to use as a personal diary with 
seals enclosing the clock, disk or other, permanent stor- 
age, encryption circuitry, and input/output circuitry. 50 
The special purpose diaiy computer can be provided 
with built-in public/private key time stamping and/or 
encryption facilities. 

Since many modifications, variations and changes in 
detail can be made to the above described embodiments 55 
without departing from the: scope and spirit of the in- 
vention, it is intended that the above description and the 
accompanying drawings be interpreted as only illustra- 
tive and not in a limiting sense. 

What is claimed is: €0 

1. A computer system for archiving data blocks, com- 
prising 

data processing means for forming and editing origi? . 

nal data blocks; 
means for generating and storing a first representa- 65 

tion of each formed and edited original data block 

combined with an original date as a reference data 

block; 



means for preventing modification of a reference data 
block; . 

means for storing a second version of each original 
data block and corresponding original date in asso- 
ciation with the respective reference data block as 
a working data block; 

means for modifying one of said stored working data 
blocks to produce a modified working data, block 
wherein the modifications to said one working data 
block are made by marking the one working data 
block so that the modifications can be identified 
and removed or restored to recreate the corre- 
sponding original data block; and 

authentication means for removing the marked modi- 
fications from the modified working data block to 
recreate the corresponding original data block and 
original date and for generating a representation of 
such recreated original data block which is identi- 
cal to the corresponding stored reference data 
block in the absence of corruption of said data 
blocks. 

2. A computer system for archiving data blocks as 
claimed in claim 1 wherein the means for generating 
and storing reference data blocks includes encryption 
means. 

3. A computer system for archiving data blocks as 
claimed in claim 1 including authentication means for 
comparing the representation of the recreated original 
data block and original date with the corresponding 
stored reference data block. 

4. A computer system for archiving data blocks as 
claimed in claim 1 wherein said means for generating 
and storing reference data blocks includes 

a real time clock, 

means for appending the current date from said real- 
time clock as said original date to each original data 
block; and 

means for forming an encrypted digital signature of 
each original data block and appended date. 

5. A computer system for archiving data blocks as 
claimed in claim 4 wherein each reference data block 
comprises the corresponding digital signature. 

6. A computer diary comprising 

a real-time clock including means for generating a 
current date; 

processing means for forming and editing original 
diary entries; 

archiving means for storing each original diary entry 
as both a reference data block and a working data 
block and for storing the current date as an original 
diary date associated with the respective reference 
data block; 

means for modifying a selected one of said stored 
working data blocks to produce a modified diary 
entry by marking the modifications to the selected 
working data block so that the modifications can be 
identified and removed to restore the correspond- 
ing original diary entry; and. 

means for retrieving the modified working data block 
and removing the marked modifications from said 
modified working data block to form, an authenti- 
cation data block for being authenticated as identi- 
cal to the corresponding stored reference data 
block. 

7. A computer diary as claimed in claim 6 wherein the 
means for marking modifications include means for 
bracketing a portion of an original diary entry with tear 
out codes to identify such portion as a tear out portion, 
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and means for preventing display of the tear out portion correct absolute date of the detected relative date 

except upon entry of a tear out password. phrase; and 

8. A computer diary as claimed in claim 7 including means for placing, the selected absolute date in the 
means for keeping track of the amount of text marked respective text entry. 

with tear-out codes, during a predetermined period of 5 16. A computer system as claimed in claim 15 

time, and means for limiting the total amount of text wherein the means for placing the computed absolute 

marked with tear-out codes during the predetermined dates in the text entry includes means for bracketing the 

period of time, absolute dates with implied date codes. 

9. A computer diary as claimed in claim 6 wherein the 17. A computer system as claimed in claim 16 
means for marking modifications include means for 10 wherein the processing means includes display means 
bracketing a portion of an original diary entry with for displaying text entries, and user controlled means 
mark out codes to identify such portion as a marked out for selectively displaying or hiding absolute dates 
portion, means for bracketing inserted material in the bracketed by implied date codes. 

original diary entry with insert codes to identify such 18. A computer system for storing and retrieving 

inserted material* and means for displaying marked out 15 digital data comprising 

portions and inserted material with respective distin- storage means for storing a data (He; 

guishing characteristics so that such displayed marked first password means for enabling master access to 

out portions and inserted material can be readily distin- the computer system upon correct entry of a mas- 

guished £rom any remaining portion of the original ter password by a user; 

diary entry. 20 data processing means enabled by the first password 

10. A computer system for entering and editing tex- means for forming, storing, retrieving and editing 
tual data entries comprising data blocks in the data file; 

processing means for forming and editing text entries said data processing means including means for 

as input by a user; bracketing user selected portions of the stored data 

means for storing and retrieving each text entry; 25 blocks with predetermined compartment codes to 

a list of aliases together with one or more specific define said bracketed data portions as belonging to 

identifiers for each alias; one or more user defined compartments; and 
means for monitoring the input of text entries to de- second password means responsive to entry of one or 
tect entry of an alias in said list; more compartment passwords for enabling re- 
means for displaying the one or more specific identi- 30 trieval of selected portions of the stored data 
fiers corresponding to the detected alias to assist blocks in said one or more user defined compart- 
the user to select a correct identifier of the detected ments and for preventing retrieval of all other por- 
alia^ and tions of stored data in the data file, 
means for placing the selected identifier in the respeo- 19. A computer system as claimed in claim 18 
tive text entry adjacent the detected alias. 35 wherein the data processing means includes user se- 
ll. A computer system as claimed in claim 10 lected display means for selecting display or non-dis- 
wherein the list of aliases includes pronouns. play of portions of data blocks within the user defined 

12. A computer system as claimed in claim 10 compartment when enabled by the master password, 
wherem the placing means brackets the placed identifier 20. A computer system as claimed in claim 19 
with alias codes in the respective text entry. 40 wherein the user selected display means further in- 

13. A computer system as claimed in claim 10 eludes means for selecting display or non-display of a 
wherein the specific identifier displaying means in- symbol indicating the location and presence of a non- 
cludes means to add an additional specific identifier to displayed portion of a data block. 

the displayed list 21. A computer system as claimed in claim 20 

14. A computer system as claimed in claim 10 includ- 45 wherein the symbol includes an indication of the size of 
ing means for sorting the displayed list of specific identi- the non-displayed portion of the data block. 

fiers to place the selected specific identifier at the top of 22. A computer system as claimed in claim 18 

the list and to place the closest previous different spe- wherein said selected portions enabled for retrieval by 

cific identifier corresponding to the detected alias sec- the second password means are those portions con- 

ond on the list 50 tained within any of the one or more compartments 

15. A computer system for entering and editing tex- corresponding to the one or more entered compartment 
tual data entries comprising passwords. 

processing means for forming and editing text entries 23. A computer system as claimed in claim 18 

including relative date phrases as input by a user; wherein said selected portions enabled for retrieval by 

means for storing and retrieving each text entry; 55 said second password means arc those portions con- 

a plurality of formulas for calculating absolute dates tained within any of the one or more compartments 

from relative date phrases; corresponding to the one or more entered compartment 

a list of relative date phrases together with corre- passwords and not within compartments corresponding 

sponding index pointers to the respective formulas to non-entered compartment passwords, 

for computing absolute dates from the relative date 60 24. A computer system as claimed in claim 18 

phrases; wherein said means for bracketing includes means for 

means for monitoring the input of text entries to de- performing nested bracketing, 

tect entry of a relative date phrase in said list; 25. A computer system as claimed in claim 24 

means responsive to the detection of a relative date wherein said selected portions enabled for retrieval by 
phrase for computing an absolute date using the 65 the second password means are those portions con- 
corresponding formula and for displaying the com- tained within any of the one or more compartments 
puted absolute date corresponding to the detected corresponding to the one or more entered compartment 
relative date phrase to assist the user to select a passwords. 
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26. A computer system as claimed in claim 24 
wherein said selected portions enabled for retrieval by 
said second password means are those portions con* 
tained within any of the one or more compartments 
corresponding to the one or more entered compartment S 
passwords and not within compartments corresponding 
to non-entered compartment passwords. 

27. A computer system for archiving data blocks 
comprising: 

means for forming and appending original data blocks 10 
in a diary file; 

means for generating a current date; 

said original data block forming and appending means 
including means for appending the current date to 
the original data blocks when appending in the IS 
diary file to form time stamped original data blocks 
in the diary file; 

means for preventing any alteration of the time 
stamped original data blocks in the diary file; 

means for determining if said current date is later than 20 
the date of the time stamped data block most re- 
cently previously stored in the diary file; and 

means responsive to the determining means for pre- 
venting said original data block forming and ap- 
pending means from appending any original data 25 
block in the diary file when the determining means 



determines that the current date is not later than 
the date of the time stamped data block most re- 
cently stored in the diary file. 

28. A computer system for archiving data blocks as 
claimed in claim 27 wherein said original data block 
forming and appending means includes means for com- 
puting an encrypted digital signature of the time- 
stamped data blocks. 

29. A computer system for archiving data blocks as 
claimed in claim 27 wherein said alteration preventing 
means includes means for encrypting the original data 
blocks in the diary file to prevent tampering with the 
diary file. 

30. A computer system for archiving data blocks as 
claimed in claim 27 including means for computing and 
storing an authenticity check of the diary file after ap- 
pending an original data block; means for recomputing 
the authenticity check of a diary file before appending; 
means for comparing the recomputed authenticity 
check with the stored authenticity check; and means 
responsive to any difference between the recomputed 
authenticity check and the stored authenticity check for 
preventing said original data block forming and append- 
ing means from appending any original data block to the 
diary fiile. 

* * * * * 
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